The Indian Computer Emergency Response Team (CERT-In) issued a Vulnerability Note CIVN-2024-0353 highlighting several critical vulnerabilities within the widely used content management system (CMS), Drupal. The Drupal vulnerabilities, spanning versions from 7 to 11, have been deemed to present a high security risk due to their potential for unauthorized access, arbitrary code execution, and exposure to data theft.
The flaws, which have been traced to improper handling of user inputs, inadequate sanitization in certain modules, and potential vulnerabilities linked to PHP Object Injection, could allow attackers to compromise a site’s integrity, gain access to sensitive data, or execute malicious scripts.
Drupal Vulnerabilities Affected Versions and Risk Overview
Drupal, an open-source CMS, powers a number of websites, ranging from personal blogs to large organizational platforms. According to the vulnerability notes, multiple vulnerabilities exist in Drupal core due to flaws such as improper sanitization of status messages, failure to check certain user fields, and vulnerabilities that could allow PHP Object Injection. These flaws are particularly concerning for administrators running versions prior to:
- Drupal 7 (before version 7.102)
- Drupal 10.2 (before version 10.2.11)
- Drupal 10.3 (before version 10.3.9)
- Drupal 11.0 (before version 11.0.8)
The primary concern is that these vulnerabilities could be exploited by remote attackers to perform cross-site scripting (XSS) attacks, execute arbitrary code, or even steal sensitive user data. For Drupal-based sites with outdated versions, these vulnerabilities can be exploited without requiring sophisticated technical knowledge from the attackers.
Key Drupal Vulnerabilities and Exploits
One of the most critical Drupal vulnerabilities outlined in the report is a Cross-Site Scripting (XSS) issue, identified in SA-CORE-2024-003. This vulnerability affects versions from Drupal 8.8 to Drupal 10.2.11, Drupal 10.3.0 to Drupal 10.3.9, and Drupal 11.0.0 to Drupal 11.0.8. Drupal uses JavaScript to render status messages in some configurations, and in certain cases, these messages are not properly sanitized. This lack of sanitization opens the door for attackers to inject malicious scripts that could execute on the client side, compromising users’ sessions or performing unauthorized actions on their behalf.
Another major vulnerability identified is an Access Bypass issue, found in SA-CORE-2024-004. This vulnerability, affecting versions 8.0.0 to 10.2.11, 10.3.0 to 10.3.9, and 11.0.0 to 11.0.8, arises due to inconsistent uniqueness checking for certain user fields. Depending on the database engine and collation settings, attackers could exploit this flaw to allow multiple users to register with the same email address, leading to potential data integrity problems.
More concerning vulnerabilities include PHP Object Injection issues described in SA-CORE-2024-006 and SA-CORE-2024-007. These vulnerabilities are considered less critical because they are not directly exploitable. However, if combined with another vulnerability, they could lead to remote code execution or arbitrary file deletion. The issue arises due to the improper handling of object deserialization. Although no direct exploits have been identified, administrators should still be vigilant, especially if their sites are using third-party database drivers.
Impact Assessment and Solution Recommendations
The exploitation of these vulnerabilities in Drupal could lead to serious consequences, ranging from data theft to malware propagation. The potential for attackers to perform arbitrary code execution or manipulate user data is a significant concern, especially for organizations that rely on Drupal to store sensitive or mission-critical information. Sites running outdated versions are at the greatest risk, and administrators are urged to act promptly.
To mitigate these risks, Drupal administrators are strongly advised to update their systems to the latest versions. The security updates are as follows:
- Update Drupal 7 to 7.102
- Update Drupal 10.2 to 10.2.11
- Update Drupal 10.3 to 10.3.9
- Update Drupal 11.0 to 11.0.8
In addition to updating, Drupal administrators are encouraged to review their current configurations, especially when using custom modules or third-party applications that might interact with the Drupal core. This will help ensure that no existing vulnerabilities are overlooked, particularly those related to user input sanitization or unsafe object handling.
Vendor Response and Ongoing Monitoring
The Drupal Security Team has been actively working on addressing these vulnerabilities. The initial reports and fixes were coordinated by team members such as Lee Rowlands, Greg Knaddison, and Drew Webber, with support from the broader Drupal security community. The latest security updates and patches are available from the official Drupal security advisories at:
Additionally, the Drupal community has provided instructions for administrators to help them patch and secure their installations. The emphasis is on keeping up with CIVN-2024-0353 and other related advisories to reduce the risk of exploitation.
Related