Drupal has released two additional security updates in the wake of the Drupalgeddon2 critical vulnerability patched on March 28. These updates continue to address vulnerabilities related to the remote code execution vulnerability found in March in both Drupal 7.x and 8.x applications.
Tag: Security Updates
In March, Drupal released version 8.5.1 addressing several critical security vulnerabilities. At that time, there was no evidence of the vulnerability being exploited to attack Drupal sites However, on April 12, 2018, a security research firm released a detailed analysis of the vulnerability and steps to exploit it. In the days since this release, multiple exploits of the Drupalgeddon2 vulnerability have been reported.
Last week, WordPress released version 4.9.5 — a security and maintenance release. This release addressed three major security vulnerabilities and 25 other bugs. These vulnerabilities are considered low severity, and are part of an overall mission at WordPress to further enhance the security of the core application.
On March 28, 2018 Drupal released a highly critical security update affecting Drupal sites using version 7.x and 8.x. This security update addresses a critical vulnerability impacting approximately 1 million websites that could allow attackers to exploit multiple access points and take control of Drupal sites. In order to address the issue, Drupal has released two new versions and is recommending that all Drupal sites be updated as soon as possible.
On March 13, 2018, Joomla! released a security update in version 3.8.6. This update addresses a SQLi vulnerability found in the User Notes component. The notes section allowed for malicious code to be passed to the database. The update released by Joomla! limits input into the notes field to plain text and disallowing code. It is highly recommended that Joomla! users update their applications as soon as possible to address this vulnerability and avoid possible compromises. Thanks to its included continuous scanning, SiteLock Infinity users will have their applications patched quickly and automatically.
In addition to the SQLi vulnerability fix, version 3.8.6 included 60 other bug fixes and feature updates including:
- Session management improvements
- Hide configuration and system information from non-super users
- Delete existing passwords when user passwords are changed
- PHP 7.2 compatibility fixes
In order to take advantage of bug fixes and improved features, users must complete the full version upgrade even if they have patching services.
If you’re interested in automated patching services for your Joomla! site, contact us today and ask about SiteLock Infinity. We are available 24/7 at 855.378.6200.
The Joomla! team has been hard at work today releasing version 3.8.4, which contains multiple security updates and bug fixes. Specifically, four major security vulnerabilities were found in Joomla! core files. These vulnerabilities impact all Joomla! versions from 1.5 to 3.7. Three of the four vulnerabilities identified were cross site scripting (XSS) vulnerabilities found in modules and components within the core application. These vulnerabilities could potentially allow attackers to inject malicious code into otherwise legitimate website files. The fourth vulnerability, a SQL injection (SQLi) vulnerability, was identified in the post-install message and could have allowed attackers to inject malicious code into the Joomla! MySQL database.