Three vulnerabilities were patched Wednesday in the Drupal content management system’s core engine, two of which were rated critical, according to an advisory posted by the Drupal security team.

Versions 8.x of the Drupal core are affected, and users are advised to upgrade to 8.1.10. Drupal is open source software used to build and manage web sites and content.

One of the critical bugs was a cross-site scripting vulnerability affecting http exceptions; exception handling is specialized programming that handles unusual computation conditions that could affect how a program executes.

“An attacker could create a specially crafted URL, which could execute arbitrary code in the victim’s browser if loaded,” the advisory said. “Drupal was not properly sanitizing an exception.”

The other critical bug allowed for a full export of the system’s configuration report without admin permissions, Drupal said.

“The system.temporary route would allow the download of a full config export,” Drupal said. “The full config export should be limited to those with Export configuration permission.”

The remaining vulnerability Drupal patched affected permissions for the administration of comments on a Drupal site.

“Users who have rights to edit a node, can set the visibility on comments for that node,” Drupal said. “This should be restricted to those who have the administer comments permission.”

In July, Drupal issued a security update that addressed critical remote code execution vulnerabilities in three modules: RESTful Web Services; Coder; and Webform Multiple File Upload. The modules had been downloaded 10,000 times as of July 13 with RESTful Web Services the most popular of the three and present on more than 5,000 Drupal sites.

Categories: Vulnerabilities, Web Security