DRUPAL PATCHES CRITICAL BUG THAT LEAVES PLATFORM OPEN TO XSS ATTACK

“This vulnerability is mitigated by the fact that the comment system must be enabled and the attacker must have permission to post comments,” Drupal said.

Another critical vulnerability in Drupal 7 and Drupal 8 involves a JavaScript function “Drupal.checkPlain()” flaw that it said could lead to a cross-site scripting vulnerability under certain circumstances.

“Drupal has a “Drupal.checkPlain()” JavaScript function which is used to escape potentially dangerous text before outputting it to HTML (as JavaScript output does not typically go through Twig autoescaping). This function does not correctly handle all methods of injecting malicious HTML, leading to a cross-site scripting vulnerability under certain circumstances,” researchers wrote.

Unaffected are “PHP functions which Drupal provides for HTML escaping,” the company said.

dru

Developers behind the CMS platform also fixed several moderately critical vulnerabilities, including a private file system glitch that leads to an access bypass vulnerability for users trying to view or download private files.

Another moderately critical bug is tied to Drupal 8’s Settings Tray module and allows users to update certain data that they don’t have permissions for.

“If you have implemented a Settings Tray form in contrib or a custom module, the correct access checks should be added. This release fixes the only two implementations in core, but does not harden against other such bypasses,” said Drupal’s release.

It’s not the first time Drupal has dealt with vulnerabilities in its platform – the company also released several patches in August that fixed several critical access bypass bugs in its Drupal 8 Core engine. The most serious of these security bugs allowed attackers remote access to the platform, so they could view, create, update or delete entities in the access system.

Source:https://threatpost.com/drupal-patches-critical-bug-that-leaves-platform-open-to-xss-attack/130070/