Last week Drupal released version 8.4.5, which addressed several critical security vulnerabilities.  The Drupal development team is urging all Drupal sites to upgrade immediately to avoid possible exploitation of these vulnerabilities in the core application.

Critical Vulnerabilities

There were two critical vulnerabilities  addressed in this update. The first vulnerability found was with the comment portion of the application. Researchers discovered that users with commenting permissions were able to see and modify content they should not have had access to. The good news is that if comments on the website are disabled, it is not exploitable.

There was also a previously patched critical  Cross-Site Scripting (XSS) vulnerability that was found to be incomplete, meaning attackers were still able to inject malicious code despite the previous patch. The patch has been completed and now further protects against the injection of malicious code through JavaScript.

Moderate Vulnerabilities

There were also several moderately critical vulnerabilities patched. The first was a vulnerability that allowed users to download files without a permissions check. In theory, Drupal has a feature to check a user’s permission before allowing them to view or download restricted files. This was found to be failing and has been corrected.

Additionally, an external link injection vulnerability was found that could have allowed attackers to launch attacks against a site’s visitors by forcing them to navigate to an external site.  Each of these vulnerabilities could have been exploited, allowing attackers to view and modify files that external users should not have access to. This could be used to inject spam, malicious redirect links, or deface a site.

You can review a full list of the vulnerabilities updated and their technical details here.

What To Do

No other feature upgrades were included with this version release. However, it is still important that all Drupal site owners update their applications immediately to protect them from these security vulnerabilities. SiteLock Infinity customers will be automatically protected if they have patching enabled on their accounts.

For more information on how your Drupal application can be automatically protected from malware and application vulnerabilities, call SiteLock and ask about SMART PLUS. We are available 24/7 at 855.378.6200.