Severity Rating: High
Software Affected
· Drupal Version prior to 7.x
· Drupal Version prior to 8.8.x
· Drupal Version prior to 8.9.x
· Drupal Version prior to 9.0.x
Overview
Multiple vulnerabilities have been reported in Drupal which could lead to
execute remote code, bypass certain security restriction and Cross site
request forgery on the targeted system.
Description
1. Cross Site Request Forgery Vulnerability
This vulnerability exists in Drupal core due to improper handling of the
certain form input by the affected software. A remote attacker could
exploit this vulnerability by visiting a malicious site through cross site
requests.
Successful exploitation of this vulnerability could lead to other
vulnerabilities.
2. Remote Code Execution Vulnerability
This vulnerability exists in Drupal core due to improper handling of the
file system by the affected Drupal core software. A remote attacker could
exploit this vulnerability by visiting a malicious site that could result
in creating a carefully named directory on the file system.
Successful exploitation of this vulnerability could attempt to brute force
remote code execution vulnerability.
3. Access bypass Vulnerability
This vulnerability exists in Drupal core due to improper handling of the
validation requests by the affected software. A remote attacker could
exploit this vulnerability by visiting sites that have the read_only set
to FALSE under jsonapi.settings config are vulnerable.
Successful exploitation of this vulnerability could lead to Access bypass
of the targeted system.
Solution
Apply appropriate updates as mentioned in the following URLs.
Vendor Information
Drupal
References
Drupal
About Cert Advisory
We have created this blog to provide latest security advisory from the india cert for the security vulnerability, threats, attacks and patching required to mitigate any kind of cyber attacks.