Drupal developers patched two critical vulnerabilities this week in versions 7 and 8 of its content management system platform. Overall, Drupal patched seven vulnerabilities including four rated moderately critical and two flaws rated less critical.
The first of the critical flaws is a comment reply form bug in Drupal version 8. This vulnerability gives unauthorized users access to restricted content, allowing them to view and add comments and content in certain restricted areas in the CMS, according to the advisory published Wednesday.
“This vulnerability is mitigated by the fact that the comment system must be enabled and the attacker must have permission to post comments,” Drupal said.
Another critical vulnerability in Drupal 7 and Drupal 8 involves a JavaScript function “Drupal.checkPlain()” flaw that it said could lead to a cross-site scripting vulnerability under certain circumstances.
“Drupal has a “Drupal.checkPlain()” JavaScript function which is used to escape potentially dangerous text before outputting it to HTML (as JavaScript output does not typically go through Twig autoescaping). This function does not correctly handle all methods of injecting malicious HTML, leading to a cross-site scripting vulnerability under certain circumstances,” researchers wrote.
Unaffected are “PHP functions which Drupal provides for HTML escaping,” the company said.
Drupal Drupal 8.4.5 & Drupal 7.57 have been released. They fix critical vulnerabilities. Its time to update! https://t.co/TRcapVuMi8
— Drupal Security (@drupalsecurity) February 21, 2018
Developers behind the CMS platform also fixed several moderately critical vulnerabilities, including a private file system glitch that leads to an access bypass vulnerability for users trying to view or download private files.
Another moderately critical bug is tied to Drupal 8’s Settings Tray module and allows users to update certain data that they don’t have permissions for.
“If you have implemented a Settings Tray form in contrib or a custom module, the correct access checks should be added. This release fixes the only two implementations in core, but does not harden against other such bypasses,” said Drupal’s release.
It’s not the first time Drupal has dealt with vulnerabilities in its platform – the company also released several patches in August that fixed several critical access bypass bugs in its Drupal 8 Core engine. The most serious of these security bugs allowed attackers remote access to the platform, so they could view, create, update or delete entities in the access system.