The Drupal developers have secured several version series of the content management system against a critical vulnerability. Under certain conditions, attackers could have exploited this remotely to execute program code on the respective web server (Remote Code Execution, RCE).

Furthermore there are updates for the Drupal modules SAML SP 2.0 SSO module, Media oEmbed and Examples for Developers . Here, too, critical weaknesses have been eliminated throughout. Drupal admins should update vulnerable installations and modules as soon as possible.

The Ink Filepicker also has a critical vulnerability. However, since it was not repaired by the project managers and they apparently no longer care about the module, the Drupal Security Team has marked the project as “unsupported”. In a security advisory it advises to uninstall:

Ink Filepicker – Unsupported – SA-CONTRIB – 2020 – 037 Drupal Core: RCE via file upload Drupal Advisory SA-CORE gives details of the vulnerability in the CMS itself – 2020 – 012. Accordingly, it was previously possible to assign specific names when uploading files, which led to the CMS interpreting the file type incorrectly. As a consequence, in the case of certain hosting configurations not described in detail in the advisory, the system could be made to execute harmful PHP code.

The “Security Risk Matrix” in the advisory shows that that at least the access rights of an authenticated user would be required for an attack. Exploit code in the wild has not yet been spotted.

The new versions 7. 74, 8.8. 11, 8.9.9 and 9.0 .8 remedy the vulnerable Drupal editions 7.x, 8.8.x, 8.9.x and 9.0.x. Since 8-version series before 8.8.x are no longer officially supported, no update is available for them.

In addition to the update, the Drupal team recommends that certain files that have already been uploaded to the server be retroactively ” Check for hidden “potentially harmful file types. Details can be found in the advisory.

Module updates close critical gaps The critical gaps in the three modules mentioned at the beginning for several Drupal versions can be misused to bypass authentication mechanisms (SAML SP 2.0 SSO) and offer further points of attack for RCE (Media oEmbed, Examples for Developers). Module users can find information on vulnerable and fixed versions in the advisories:

SAML SP SSO – Access bypass – SA-CONTRIB – 2020 – 038 Media oEmbed – Remote Code Execution – SA-CONTRIB – 2020 – 036 Examples for Developers – Remote Code Execution – SA-CONTRIB – 74 – 035 (ovw)