Security updates for Drupal: Malicious code attacks on web browsers possible

The developers of Drupal have closed several vulnerabilities in their content management system.

(Image: Bild erstellt mit KI in Bing Image Creator durch heise online / dmk)

Nov 24, 2024 at 7:50 pm CET

2 min. read

By

Dennis Schirrmacher

Poor input validation makes previous versions of Drupal vulnerable. If the conditions are right, attackers can execute malicious code in the victim's web browser via compromised websites created with Drupal. Other attacks are also conceivable. Security patches are available.

Malicious code attacks

According to a warning message, only Drupal 7 with an activated overlay module is at risk from the web browser malware attack. Because user input is not sufficiently checked in this context, attackers can execute malicious code in the victim's web browser as part of a Reflected XSS attack. The developers do not list a CVE number. They classify the risk as"critical". Drupal 7.102 is equipped against this.

Videos by heise

The majority of the remaining vulnerabilities are marked as"moderately critical". Among other things, PHP code injection can occur at these points, allowing attackers to execute their own code. In another case, authentication can be bypassed and attackers can log in with another user's email address. Various versions of Drupal 7, 8, 10 and 11 are affected by these vulnerabilities.

So far, there are no indications of attacks already underway. However, website admins should act quickly and install the available security updates.

The developers list the versions equipped against the attacks described in several articles. List sorted by threat level in descending order: