Third in the line of the world’s most well known Content Management System after WordPress & Joomla, Drupal is the sort after after CMS. Drupal fuels sites including MTV, Popular Science, Sony Music, Harvard, and MIT. Like any other CMS, Drupal has been at the focal point of reputation a couple of times because of looming vulnerabilities in it. The feature that makes it stand ahead considered being its flexibility along with the modularity that seems to be a core principle of the platform Recently, critical vulnerabilities have been found in Drupal effecting version 8.4 x & 7.x. The details of the vulnerabilities are given below:
Description: End users can view content and comments of other users which they aren’t authorized to view. This compromises the integrity of the content.
Description: By default Drupal’s private file system checks if a person trying to access the private file has access to the file. In a condition where one module is trying to grant access to the file and another one is trying to deny then an access bypass can occur. This vulnerability can be exploited only in certain environment.
Description: If a custom module or contrib implements ‘Setting Tray’, then the data in settings tray can be tampered without permissions. This Drupal updates fixes this but doesn’t assure that there is complete security.
These vulnerabilities found in Drupal make the latest updates from Drupal very critical. Currently, we have seen only a few of these vulnerabilities being exploited in wild but it is expected that hackers would target them in coming weeks. If for some reason you can update your Drupal or want an out of the box security solution, then feel free to give Astra a shot!
A full disclosure by Drupal can be read here.