The Drupal development team has released the Drupal version 8.2.7 that addressed a number of vulnerabilities in the popular CMS. The list of flaws includes an access bypass issue, a cross-site request forgery (CSRF) vulnerability, and a remote code execution flaw.
An access bypass flaw, tracked as CVE-2017-6377, affecting the editor module is considered the most severe vulnerability
“When adding a private file via a configured text editor (like CKEditor), the editor will not correctly check access for the file being attached, resulting in an access bypass,” reads the description provided in the security advisory by Drupal.
Another moderately critical vulnerability is a CSRF flaw tracked as CVE-2017-6379, it is related to the lack of CSRF protection for some administrative paths. An attacker can exploit the issue to disable some blocks of a website by knowing their block ID.
Going on in the list, we find also a remote code execution vulnerability, CVE-2017-6381, which has also been rated moderately critical. The RCE flaw CVE-2017-6381 affects a third-party development library and is related to development dependencies.
The good news is that Drupal Composer dependencies are typically not installed, and by the default PHP execution protection in .htaccess.
In order to improve the security of the Drupal installs, the last release Drupal 8.2.7 includes a security update for phpunit development dependencies. Basically, the Drupal core in the new release requires the most secure version of phpunit available.
It is essential to update the Drupal version, CMS are privileged targets of hackers that try to exploit known vulnerabilities using exploit codes available online.
Outdated versions expose websites that its users to the risk of cyber attacks.
In September, the researchers at the SANS Institute’s Internet Storm Center reported seeing attempts to exploit a highly critical vulnerability in a third-party Drupal module, the RESTful Web Services (RESTWS) module.
(Security Affairs – Drupal version 8.2.7, Hacking)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.