Security News

Acquia announced that it is renewing its founding partnership support of the Drupal Steward Program, a web application firewall introduced by the Drupal Association and operated jointly with the Drupal Security team. Acquia implemented Drupal Steward protection across its entire Drupal Cloud platform, protecting thousands of the world's largest sites with the most up-to-date security and vulnerability fixes.

Drupal has released a security update to address a critical vulnerability in a third-party library with documented or deployed exploits available in the wild. "The Drupal project uses the pear Archive Tar library, which has released a security update that impacts Drupal," the Drupal security team said.

Security updates released this week by the developers of the Drupal content management system patch a vulnerability identified in a third-party library. Core patches were made available for Drupal 9.1, 9.0, 8.9, and 7, to resolve a security flaw affecting PEAR Archive Tar, and which also impacts Drupal.

Challenges organizations face in combating third-party cyber riskA CyberGRX report reveals trends and challenges organizations of all sizes face in combating third-party cyber risk today. cPanel 2FA bypass vulnerability can be exploited through brute forceA two-factor authentication bypass vulnerability affecting the popular cPanel & WHM software suite may allow attackers to access secured accounts, Digital Defense researchers have found.

Drupal has released out-of-band security updates to fix two critical code execution flaws in Drupal core, as "There are known exploits for one of core's dependencies and some configurations of Drupal are vulnerable." CVE-2020-28948 and CVE-2020-28949 are arbitrary PHP code execution vulnerabilities found in the open source PEAR Archive Tar library, which Drupal uses to handle TAR files in PHP. "(The) vulnerabilities are possible if Drupal is configured to allow.

Drupal has released emergency security updates to address a critical vulnerability with known exploits that could allow for arbitrary PHP code execution on some CMS versions. "These statistics are incomplete; only Drupal websites using the Update Status module are included in the data," Drupal says.

The developers of the Drupal content management system released out-of-band security updates right before Thanksgiving due to the availability of exploits. The core updates released for Drupal 7, 8.8, 8.9 and 9.0 on November 25 address a couple of vulnerabilities affecting PEAR Archive Tar, a third-party library designed for handling.

Admins of sites running on Drupal are urged to plug a critical security hole that may be exploited by attackers to take over vulnerable sites. CVE-2020-13671 exists because Drupal core does not properly sanitize certain filenames on uploaded files.

Updates released on Wednesday for the Drupal content management system patch a remote code execution vulnerability related to failure to properly sanitize the names of uploaded files. The vulnerability, tracked as CVE-2020-13671, has been classified as critical, but it's worth mentioning that Drupal uses the NIST Common Misuse Scoring System, which assigns vulnerabilities a score ranging between 0 and 25, with "Critical" being only the second highest rating, after "Highly critical."

Muhstik is a botnet that leverages known web application exploits to compromise IoT devices, such as routers, to mine cryptocurrency. Although Muhstik botnet has been around for at least 2018, in December 2019, Palo Alto Networks had identified a new variant of the botnet attacking and taking over Tomato routers.