Drupal releases Security update for critical vulnerabilities

A very popular Content Management System called Drupal has released security update for different kinds of vulnerabilities. A latest updated version8.2.7 guarantees that Drupal core requires the most secure version of PHPUnit accessible.

Description of Vulnerabilities:

  • Editor module incorrectly checks access to inline private files – Drupal 8 – Access Bypass – Critical – CVE-2017-6377

    While including a private file with a configured text editor (like CKEditor), the editor won’t accurately check access for the record being added, which ends up in an access bypass.

  • Some admin paths were not protected with a CSRF token – Drupal 8 – Cross Site Request Forgery – Moderately Critical – CVE-2017-6379

    Some administrative paths did exclude security for CSRF. This would allow an attacker to destroy a few block on a site. This issue is reduced by the way that clients would need to know the block ID.

  • Remote code execution – Drupal 8 – Remote code execution – Moderately Critical – CVE-2017-6381

    A 3rd party development library incorporating with Drupal 8 development dependencies is helpless against remote code execution.