Drupal 7.19 and 6.28 Released to Address XSS, Access Bypass Flaws

Users are advised to update their installations as soon as possible

  Drupal security update released
On Wednesday, Drupal 7.19 and Drupal 6.28 were released. The security updates have been made available to address a cross-site scripting (XSS) and a couple of access bypass vulnerabilities that affect Drupal core 6.x and 7.x versions.

On Wednesday, Drupal 7.19 and Drupal 6.28 were released. The security updates have been made available to address a cross-site scripting (XSS) and a couple of access bypass vulnerabilities that affect Drupal core 6.x and 7.x versions.

The reflected XSS vulnerability, which impacts both Drupal 6 and 7, affects certain JavaScript functions that “pass unexpected user input into jQuery causing it to insert HTML into the page when the intended behavior is to select DOM elements.”

The first access bypass vulnerability, affecting Drupal 6 and 7, exposes the title and, in some cases, the content of nodes which users should not be allowed to access.

The second access bypass flaw, which affects the “image” module in Drupal 7, allows an attacker to view the image derivatives of images that are marked as private files.

Users are advised to apply the updates as soon as possible.

Drupal is available for download here

Comments