TTCSIRT-207.042319: TT-CSIRT Advisory – Drupal Security Updates

TTCSIRT-207.042319: TT-CSIRT Advisory – Drupal Security Updates

Drupal has released a security update stating that the following vulnerabilities have been discovered in the Drupal Core Module:

a) Validation messages were not escaped when using the form theme of the PHP templating engine which, when validation messages may contain user input, could result in an XSS – (CVE-2019-10909).

b) Service IDs derived from unfiltered user input could result in the execution of any arbitrary code, resulting in possible remote code execution – (CVE-2019-10910).

c) Part of an expiry time in a cookie could be considered part of the username, or part of the username could be considered part of the expiry time. An attacker could modify the remember me cookie and authenticate as a different user. (CVE-2019-10911)

Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution and depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Further information on these vulnerabilities and how they can be mitigated can be found on the Drupal Website at https://www.drupal.org/sa-core-2019-005