The Drupal project has released a patch to fix a critical access bypass vulnerability that could put websites at risk of hacking. The vulnerability does not have the highest severity level based on Drupal’s rating system, but is serious enough that the platform’s developers decided to also release a patch for a version of the content management system that’s no longer officially supported
More than 19 months after it was patched by Drupal developers, a critical SQL injection vulnerability in the popular content management system is still being exploited by malicious actors to hack websites. The vulnerability in question, tracked as CVE-2014-3704 and dubbed by researchers “Drupalgeddon,” is related to a database abstraction API used in Drupal 7. […]
The update mechanism of the popular Drupal content management system is insecure in several ways, allowing attackers to trick administrators into installing malicious updates. Researcher Fernando Arnaboldi from security firm IOActive noticed that Drupal will not inform administrators that an update check has failed, for example due to inability to access the update server.
Latest Comments