Multiple High Severity Drupal Vulnerabilities Detected


The Indian Cyber Emergency Response Team (CERT-IN) has issued an alert on vulnerabilities in open-source web content management system Drupal.

The Drupal vulnerabilities in the File Chooser Field module, categorized as the “Drupa Vulnerability,” have been assigned a severity rating of HIGH by CERT-In.

If left unaddressed, these Drupal vulnerabilities could allow attackers to exploit Server-Side Request Forgery (SSRF) and gain unauthorized access to sensitive information.

The Drupal vulnerabilities stem from improperly validating user-supplied input within the Drupal file chooser field module. Through careful manipulation of this input, malicious actors can perform SSRF attacks, which can lead to the disclosure of valuable information stored within the targeted system.

Given the severity of these Drupal vulnerabilities, affected users must take immediate action to mitigate the risks.

Fixing Drupal vulnerabilities: Update now!

To address these Drupal vulnerabilities effectively, the Drupal Security Team has released security advisories recommending the application of appropriate patches.

The advisories can be accessed through the official Drupal website at https://www.drupal.org/sa-contrib-2023-015. Users can secure their systems and protect them from potential exploitation by following the guidelines outlined in these advisories.

The File Chooser Field module, which enables users to upload files using third-party plugins like Google Drive and Dropbox, was particularly susceptible to these Drupal vulnerabilities.

This module fails to adequately validate user input, which opens the door for SSRF attacks and the subsequent disclosure of sensitive information. 

It is worth noting that in certain uncommon configurations and scenarios, the exploitation of these Drupal vulnerabilities could even lead to Remote Code Execution, further emphasizing the urgency of addressing the issue promptly.

To ensure the safety of your Drupal installation, it is crucial to upgrade to the latest version of the File Chooser Field module, specifically version 7.x-1.13, if you are currently using version 7.x-1.x.

By implementing this update, you can protect your system from potential SSRF attacks and mitigate the risk of information disclosure.

Drew Webber and George Hazlewood of the Drupal Security Team first reported the vulnerabilities within the File Chooser Field module

. Subsequently, the Drupal Security Team, led by Drew Webber and aaron.ferris, worked diligently to develop fixes for the identified vulnerabilities.

The coordination efforts were overseen by Greg Knaddison, who played a crucial role in ensuring that the necessary steps were taken to address these security concerns.

To sum up, the discovery of these Drupal vulnerabilities in the Drupal File Chooser Field module highlights the importance of promptly addressing security vulnerabilities in web applications.

By applying the recommended patches and upgrading to the latest version of the module, Drupal users can fortify their systems against potential SSRF attacks and information disclosure risks. 

Regularly monitoring security advisories and promptly implementing necessary updates is vital in safeguarding sensitive data and maintaining the integrity of web platforms. Stay vigilant and proactive in your approach to cybersecurity to ensure a safe environment.

Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.





Source link