The Drupal CMS team has issued a security update to address a serious severity access bypass susceptibility in the CMS’ principal element that could let attackers capture of affected sites.

Only a restricted set of websites running on the Drupal CMS are impacted as per the security recommendation given that the security issue only impacts the Drupal 8.7.4 version, with Drupal 8.7.3 and earlier, Drupal 8.6.x and earlier, and Drupal 7.x not being affected.

“In Drupal 8.7.4, when the experimental Workspaces module is enabled, an access bypass condition is created,” says the Drupal team.

More significantly, as per the Drupal development team, the patch will only be applied for impacted websites where update.php is running.

Updating to the 8.7.5 is very significant given that attackers could influence the susceptibility by visiting an URL and no registration or verification level is required to misuse the impacted websites.

Fortunately, an exploit for this susceptibility is not yet available; however, in the event that one will be established most sites running on Drupal 8.7.4 will be uncovered to attacks given that “default or common module configurations are exploitable.”

Mitigation measures are also accessible for admins who cannot instantly update the Drupal installation on their servers, with the humblest way to do it being the incapacitating of the Workspaces module for impacted sites.

Moreover, Drupal is used by 1.8% of all websites with content management systems (CMS) followed by W3Techs, making it the third most popular CMS on the Internet, after WordPress (34.2%) and Joomla (2.8%).

Leave a Reply

Your email address will not be published. Required fields are marked *