Symfony, jQuery Vulnerabilities Patched in Drupal
a guest Apr 18th, 2019 78 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
- Updates released on Wednesday for Drupal 7 and 8 patch several vulnerabilities affecting third-party Symfony and jQuery components used by the Drupal core.
- The developers of the Symfony PHP web application framework on Wednesday released updates that patch five vulnerabilities, including three that also impact the Drupal content management system (CMS).
- The Symfony flaws can allow an attacker to execute arbitrary code (CVE-2019-10910), authenticate as a different user by modifying a cookie (CVE-2019-10911), and launch cross-site scripting (XSS) attacks (CVE-2019-10909).
- The latest versions of Drupal also address a jQuery vulnerability patched earlier this month with the release of jQuery 3.4.0. The security hole, related to the jQuery.extend() function, can allow XSS attacks.
- “It's possible that this vulnerability is exploitable with some Drupal modules. As a precaution, this Drupal security release backports the fix to jQuery.extend(), without making any other changes to the jQuery version that is included in Drupal core (3.2.1 for Drupal 8 and 1.4.4 for Drupal 7) or running on the site via some other module such as jQuery Update," Drupal developers said.
- Drupal patched these vulnerabilities with the release of versions 8.6.15, 8.5.15 and 7.66.
- While these flaws have been described as “moderately critical” and are less likely to be exploited in the wild, Drupal users should do their best to keep their installations up-to-date considering that it’s not uncommon for malicious actors to start exploiting vulnerabilities shortly after they have been fixed.
- In late February, researchers noticed that a Drupal vulnerability patched just three days earlier had been exploited in the wild to deliver cryptocurrency miners and other types of payloads.
RAW Paste Data