This week, Drupal developers patched seven vulnerabilities in versions 6, 7 and 8 in its content management system platform.

The open source platform used to build websites and web applications found that four of the patches were rated moderately critical, while the other two flaws were rated less critical.

According to the advisory, the vulnerability gives unauthorised users access to restricted content, allowing them to view and add comments and content in certain restricted areas in the CMS.

‘Unsanitised data’

Tim Mackey, technology evangelist at Black Duck by Synopsys, commented: “The Drupal project community have released patches for Drupal 7 and Drupal 8 based installations. The recommended versions are 7.58 and 8.5.1. Drupal 6 is also vulnerable, and the Drupal project recommends working with a Drupal 6 long-term support vendor for assistance.

“This is a vulnerability which allows unsanitised data to enter the Drupal data space. Under such circumstances, a malicious user could cause Drupal to return data which the page authors never intended to be presented on the given page.

“Since the vulnerability is present within the bootstrap process, the best mitigation model is to convert the Drupal site to a pure HTML site. Administrative and maintenance pages are similarly impacted due to the issue is present in the bootstrap process.”

Content management software

The critical flaw is CVE-2018-7600 in its content management software.

“The CVE-2018-7600 is an input validation issue where invalid query parameters could be passed into Drupal web pages. Available patches implement an input sanitisation module which loads during the bootstrap process for a given module,” continued Mackey.

The Drupal project also strongly recommends all Drupal administrators to upgrade their IT systems immediately while there is no evidence of a public exploit.

Written by Leah Alger