Multiple critical security vulnerabilities in Drupal 8, patches released

Users of website management platform Drupal are urged to immediately update their system, after versions 8.0 through 8.3.6 have been affected by a number of critical security vulnerabilities, announced Drupal Security Team on Wednesday.

As a result, the company has released a number of security patches to fix the access bypass vulnerabilities in Drupal 8. The problem affects sites that use the RESTful Web Services module and the comment entity REST resource, allowing attackers to illegally access user accounts and post comments.

“When using the REST API, users without the correct permission can post comments via REST that are approved even if the user does not have permission to post approved comments,” the company writes.

“This issue only affects sites that have the RESTful Web Services (rest) module enabled, the comment entity REST resource enabled, and where an attacker can access a user account on the site with permissions to post comments, or where anonymous users can post comments.”

A third-party can exploit the CVE-2017-6925 flaw to make changes on the platform, including create and delete entries.

“There is a vulnerability in the entity access system that could allow unwanted access to view, create, update, or delete entities. This only affects entities that do not use or do not have UUIDs, and entities that have different access restrictions on different revisions of the same entity,” reads the site.

For more technical details, take a look at the advisory.

Leave a Reply