Drupal, an open source content management system (CMS) used on many major websites, has issued a security update which resolves three security flaws. This release patches one minor and two major vulnerabilities in version 8 of the platform affecting as many as 10,000 sites.
The first bug, considered the less critical of the three, allows attackers to expose comments to different levels of visibility. By default, users without admin rights should not be able to set comment visibility on nodes they have rights to edit. The second critical vulnerability could let attackers exploit a cross-site scripting flaw. The problem surfaced as the Drupal was not properly sanitizing some HTTP exceptions. An attacker could exploit the vulnerability by creating a specifically crafted URL which could execute arbitrary code on a victim’s browser. The third security flaw is also deemed as critical as it could allow full Drupal config reports downloaded without administrative permissions. The flawed system.temporary route should be limited to those with Export configuration permission.
The Drupal security team urges admins to install the latest updates because exploits are expected to be developed within days. If exploited, the bugs could let an attacker take over any site running the vulnerable modules. This update is also thought to fix the critical vulnerabilities used to leak the Panama Papers earlier this year.
Continue reading the full Security Advisory here.