Drupal developers fixed a number of vulnerabilities, including prototype pollution in the JQuery JavaScript library.

Developers of the popular Drupal content management system have released patches for a number of vulnerabilities that allow attackers to remotely compromise hundreds of thousands of websites. According to a security notice from developers, all vulnerabilities are associated with third-party libraries included in Drupal 8.6, Drupal 8.5 or earlier, and Drupal 7.

Among others, a fix was released for a vulnerability in the popular JQuery JavaScript library integrated with Drupal. We are talking about prototype pollution – a vulnerability with which an attacker could modify the prototype of a JavaScript object.

The remaining three vulnerabilities were fixed in the Symfony PHP component: crossite scripting (CVE-2019-10909), remote code execution (CVE-2019-10910), and authentication bypass (CVE-2019-1091). To avoid possible attacks, it is recommended:

  • Drupal 8.6 users upgrade to Drupal 8.6.15;
  • For users of Drupal 8.5 and earlier, upgrade to Drupal 8.5.15;
  • Drupal 7 users upgrade to Drupal 7.66.

As practice shows, cybercriminals don’t lose time and immediately take vulnerabilities in Drupal in action. For example, last year, attackers hacked many Drupal sites through the vulnerabilities Drupalgeddon2 and Drupalgeddon3 and used them to spread malware, cryptocurrency miners, etc.

Save yourself from unconvenient issues and vulnerabilities – order our security services.