430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Drupal fixes the CVE-2017-6922 flaw exploited in spam campaigns in the wild

Drupal team released security updates to fix several vulnerabilities, including the critical access bypass flaw CVE-2017-6922 exploited in spam campaigns. The Drupal development team has released security updates to fix several vulnerabilities, including the critical access bypass flaw tracked as CVE-2017-6922 that has been exploited in spam campaigns. The CVE-2017-6922 flaw was fixed with the […]

Drupal PHP code execution

Drupal team released security updates to fix several vulnerabilities, including the critical access bypass flaw CVE-2017-6922 exploited in spam campaigns.

The Drupal development team has released security updates to fix several vulnerabilities, including the critical access bypass flaw tracked as CVE-2017-6922 that has been exploited in spam campaigns.

The CVE-2017-6922 flaw was fixed with the release of Drupal versions 7.56 and 8.3.4.

Drupal Security Team was observing a trend of attacks utilizing a site misconfiguration affecting all websites that allow file uploads by non-trusted or anonymous visitors, and stores the uploaded files in a public file system.

The files uploaded by the users are publicly accessible allowing anyone on the internet to access them. The site could be used by an attacker to host content that the legitimate site maintainers would not want made publicly available through their site.

“The majority of the reports are based around the webform module, however, other modules are vulnerable to this misconfiguration as well.” states the security advisory.

“For example, if a webform configured to allow anonymous visitors to upload an image into the public file system, that image would then be accessible by anyone on the internet. The site could be used by an attacker to host images and other files that the legitimate site maintainers would not want made publicly available through their site.”

Drupal is aware of attacks in the wild exploiting the flaw since October 2016, the new releases will not prevent such kind of abuses.

CVE-2017-6922 drupal

Drupal 8.3.4 also fixed a critical flaw, tracked as CVE-2017-6920, related to how the PECL YAML parser handles unsafe objects, the flaw could be exploited by an attacker for remote code execution.

Drupal also fixed in Drupal 8 is the improper field validation vulnerability tracked as CVE-2017-6921.

“A site is only affected by this if the site has the RESTful Web Services (rest) module enabled, the file REST resource is enabled and allows PATCH requests, and an attacker can get or register a user account on the site with permissions to upload files and to modify the file resource,” reads the advisory.

In April 2017, security experts discovered a critical vulnerability that affects the Drupal References module that is used by hundreds of thousands of websites using the popular CMS.

The Drupal team published a Security advisory on April 12 informing its users of the critical flaw.

The flaw has a huge impact on the Drupal community because the affected module is currently used by more than 121,000 websites.

“The module is currently used by over 120 000 individual Drupal installations, but is no longer maintained. The last update was done in February 2013. Unfortunately, a critical security vulnerability in this references module has been reported by the Drupal core security team as SA-CONTRIB-2017-38:

The module had no longer been supported, fortunately, a new maintainer addressed the flaw.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – CVE-2017-6922, hacking)

[adrotate banner=”13″]