Drupal Sercurity

Drupal issued an update to patch a vulnerability in its Symfony library that if exploited would give an attacker to gain access to higher level caches and web servers.

The issue, CVE-2018-14773, effects many Symfony versions, 2.7.0 to 2.7.48, 2.8.0 to 2.8.43, 3.3.0 to 3.3.17, 3.4.0 to 3.4.13, 4.0.0 to 4.0.13 and 4.1.0 to 4.1.2 versions of the Symfony HttpFoundation component. This issue is resolved by updating to 2.7.49, 2.8.44, 3.3.18, 3.4.14, 4.0.14, and 4.1.3.

A set of high-severity vulnerabilities in Drupal that were disclosed last month are now the target of widespread attacks by a malware campaign.

Researcher Troy Mursch of Bad Packets Report has spotted hundreds of compromised Drupal sites being used to host "cryptojacking" malware that uses the CPUs of visitors to mine cryptocurrency via CoinHive.

After the publication of two severe security flaws in the Drupal CMS, cybercrime groups have turned their sights on this web technology in the hopes of finding new ground to plant malware on servers and make money through illegal cryptocurrency mining.

After scrambling to patch a critical vulnerability late last month, Drupal is at it again.

The open source content management project has issued an unscheduled security update to augment its previous patch for Drupalgeddon2.

There was also a cross-site scripting bug advisory in mid-April.

Five hours after the Drupal team published a security update for the Drupal CMS, hackers have found a way to weaponize the patched vulnerability, and are actively exploiting it in the wild.

This vulnerability should not be confused with Drupalgeddon 2 (CVE-2018-7600), another Drupal CMS security issue patched last month, which is also heavily exploited. This issue —tracked as CVE-2018-7602— was patched today.