Security Release for Drupal

Monday, January 21, 2013 @ 03:01 PM gHale


Security releases Drupal 7.19 and Drupal 6.28 issued last week to close cross-site scripting (XSS) and a couple of access bypass vulnerabilities that affect Drupal core 6.x and 7.x versions.

The reflected XSS vulnerability, which impacts Drupal 6 and 7, affects certain JavaScript functions that “pass unexpected user input into jQuery causing it to insert HTML into the page when the intended behavior is to select DOM elements.”

RELATED STORIES
Potential Yahoo Mail XSS Bug
Yahoo Adds HTTPS Support
Clickjacking Vulnerability on Chrome
Google Bans Auto Install

The first access bypass vulnerability, affecting Drupal 6 and 7, exposes the title and, in some cases, the content of nodes which users should not be allowed to access.

The second access bypass flaw, which affects the “image” module in Drupal 7, allows an attacker to view the image derivatives of images that are marked as private files.

Users shoul apply the updates as soon as possible, officials said.

Drupal is available for download at its web site.



Leave a Reply

You must be logged in to post a comment.