Drupal Security

Multiple Privilege Escalation Vulnerabilities Found in Drupal 8.4.x & 7.x [Update Immediately]

Updated on: March 29, 2020

Multiple Privilege Escalation Vulnerabilities Found in Drupal 8.4.x & 7.x [Update Immediately]

Third in the line of the world’s most well known Content Management System after WordPress & Joomla, Drupal is the sort after after CMS. Drupal fuels sites including MTV, Popular Science, Sony Music, Harvard, and MIT. Like any other CMS, Drupal has been at the focal point of reputation a couple of times because of looming vulnerabilities in it. The feature that makes it stand ahead considered being its flexibility along with the modularity that seems to be a core principle of the platform Recently, critical vulnerabilities have been found in Drupal effecting version 8.4 x & 7.x. The details of the vulnerabilities are given below:

Description: End users can view content and comments of other users which they aren’t authorized to view. This compromises the integrity of the content.

Description: By default Drupal’s private file system checks if a person trying to access the private file has access to the file. In a condition where one module is trying to grant access to the file and another one is trying to deny then an access bypass can occur. This vulnerability can be exploited only in certain environment.

Description: If a custom module or contrib implements ‘Setting Tray’, then the data in settings tray can be tampered without permissions. This Drupal updates fixes this but doesn’t assure that there is complete security.

These vulnerabilities found in Drupal make the latest updates from Drupal very critical. Currently, we have seen only a few of these vulnerabilities being exploited in wild but it is expected that hackers would target them in coming weeks. If for some reason you can update your Drupal or want an out of the box security solution, then feel free to give Astra a shot!

A full disclosure by Drupal can be read here.

Tags: ,

Shikhil Sharma

Shikhil Sharma is the founder & CEO of Astra Security. Being involved with cybersecurity for over six years now, his vision is to make cyber security a 5-minute affair. Shikhil plays on the line between security and marketing. When not thinking about how to make Astra super simple, Shikhil can be found enjoying alternative rock or a game of football. Astra Security has been rewarded at Global Conference on Cyber Security by PM of India Mr. Narendra Modi. French President Mr. François Hollande also rewarded Astra under the La French Tech program. Astra Security is also a NASSCOM Emerge 50 company.
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include a vulnerability scanner, firewall, malware scanner and pentests to protect your site from the evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany