Government of the Republic of Trinidad and Tobago                                                                                                                                        


TTCSIRT-174.102218: TT-CSIRT Advisory – Drupal Security Updates

22nd October 2018

Drupal has released a security update stating that the following vulnerabilities have been discovered in the Drupal Core Module:

a) Content Moderation fails in certain circumstances to check user access to certain transitions which results in an access bypass.

b) External URL injection through URL Aliases allows for open redirect.

c) Anonymous Open Redirect takes place if a user clicks on a specially crafted URL using the destination query string.

d) Injection in DefaultMailSystem::mail() due to variables not being sanitized for shell arguments allows for remote code execution.

e) The Contextual Links module does not sufficiently validate requested contextual links which leads to remote code execution.

Further information on these vulnerabilities and how they can be mitigated can be found on the Drupal Website at