Security News

Acquia renews Drupal Steward Program support to address always-evolving security risks
2021-08-10 22:45

Acquia announced that it is renewing its founding partnership support of the Drupal Steward Program, a web application firewall introduced by the Drupal Association and operated jointly with the Drupal Security team. Acquia implemented Drupal Steward protection across its entire Drupal Cloud platform, protecting thousands of the world's largest sites with the most up-to-date security and vulnerability fixes.

Drupal releases fix for critical vulnerability with known exploits
2021-01-22 14:07

Drupal has released a security update to address a critical vulnerability in a third-party library with documented or deployed exploits available in the wild. "The Drupal project uses the pear Archive Tar library, which has released a security update that impacts Drupal," the Drupal security team said.

Drupal Updates Patch Another Vulnerability Related to Archive Files
2021-01-21 16:13

Security updates released this week by the developers of the Drupal content management system patch a vulnerability identified in a third-party library. Core patches were made available for Drupal 9.1, 9.0, 8.9, and 7, to resolve a security flaw affecting PEAR Archive Tar, and which also impacts Drupal.

Week in review: Drupal-based sites open to attack, cPanel 2FA bypass vulnerability
2020-11-29 09:00

Challenges organizations face in combating third-party cyber riskA CyberGRX report reveals trends and challenges organizations of all sizes face in combating third-party cyber risk today. cPanel 2FA bypass vulnerability can be exploited through brute forceA two-factor authentication bypass vulnerability affecting the popular cPanel & WHM software suite may allow attackers to access secured accounts, Digital Defense researchers have found.

Out-of-band Drupal security updates fix bugs with known exploits
2020-11-27 19:57

Drupal has released out-of-band security updates to fix two critical code execution flaws in Drupal core, as "There are known exploits for one of core's dependencies and some configurations of Drupal are vulnerable." CVE-2020-28948 and CVE-2020-28949 are arbitrary PHP code execution vulnerabilities found in the open source PEAR Archive Tar library, which Drupal uses to handle TAR files in PHP. "(The) vulnerabilities are possible if Drupal is configured to allow.

Drupal issues emergency fix for critical bug with known exploits
2020-11-27 12:31

Drupal has released emergency security updates to address a critical vulnerability with known exploits that could allow for arbitrary PHP code execution on some CMS versions. "These statistics are incomplete; only Drupal websites using the Update Status module are included in the data," Drupal says.

Drupal Releases Out-of-Band Security Updates Due to Availability of Exploits
2020-11-27 12:14

The developers of the Drupal content management system released out-of-band security updates right before Thanksgiving due to the availability of exploits. The core updates released for Drupal 7, 8.8, 8.9 and 9.0 on November 25 address a couple of vulnerabilities affecting PEAR Archive Tar, a third-party library designed for handling.

Drupal-based sites open to attack via double extension files (CVE-2020-13671)
2020-11-23 09:15

Admins of sites running on Drupal are urged to plug a critical security hole that may be exploited by attackers to take over vulnerable sites. CVE-2020-13671 exists because Drupal core does not properly sanitize certain filenames on uploaded files.

Remote Code Execution Vulnerability Patched in Drupal
2020-11-19 13:23

Updates released on Wednesday for the Drupal content management system patch a remote code execution vulnerability related to failure to properly sanitize the names of uploaded files. The vulnerability, tracked as CVE-2020-13671, has been classified as critical, but it's worth mentioning that Drupal uses the NIST Common Misuse Scoring System, which assigns vulnerabilities a score ranging between 0 and 25, with "Critical" being only the second highest rating, after "Highly critical."

Chinese-linked Muhstik botnet targets Oracle WebLogic, Drupal
2020-11-11 10:02

Muhstik is a botnet that leverages known web application exploits to compromise IoT devices, such as routers, to mine cryptocurrency. Although Muhstik botnet has been around for at least 2018, in December 2019, Palo Alto Networks had identified a new variant of the botnet attacking and taking over Tomato routers.