U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Drupal dev team fixed Remote Code Execution flaws in the popular CMS

The Drupal development team has patched several vulnerabilities in version 7 and 8 of the popular CMS, including RCE flaws. The development team of the Drupal content management system addressed several vulnerabilities in version 7 and 8, including some flaws that could be exploited for remote code execution. Drupal team fixed a critical vulnerability that resides in […]

Drupal

The Drupal development team has patched several vulnerabilities in version 7 and 8 of the popular CMS, including RCE flaws.

The development team of the Drupal content management system addressed several vulnerabilities in version 7 and 8, including some flaws that could be exploited for remote code execution.

Drupal team fixed a critical vulnerability that resides in the Contextual Links module, that fails to properly validate requested contextual links. The flaw could be exploited by an attacker with an account with the “access contextual links” permission for a remote code execution,

“The Contextual Links module doesn’t sufficiently validate the requested contextual links.” reads the security advisory.
“This vulnerability is mitigated by the fact that an attacker must have a role with the permission “access contextual links”.”

Another critical vulnerability fixed by the development team is an injection issue that resides in the DefaultMailSystem::mail() function. The root cause of the bug is the lack of sanitization of some variables for shell arguments when sending emails.

“When sending email some variables were not being sanitized for shell arguments, which could lead to remote code execution.” continues the advisory.

The remaining vulnerabilities addressed in the CMS have been assigned a “moderately critical” rating, they include a couple of open redirect bugs and an access bypass issue related to content moderation.

The vulnerabilities have been addressed with the release of Drupal 7.60, 8.6.2 and 8.5.8.

Drupal team urges users to install security updates as soon as possible, there is the concrete risk that threat actors in the wild will start to exploit flaw in massive hacking campaigns.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Drupal, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]