Posts Tagged ‘Drupal vulnerabilities’


New security vulnerabilities 2015Several new security vulnerabilities of varying severity has been found by security researchers

Several new security vulnerabilities of varying severity has been found by security researchers:

  • System compromise in Android (high severity vulnerability)
  • Bypassing security restrictions on Apache Tomcat (middle severity vulnerability)
  • Multiple vulnerabilities in CMS Drupal (low severity vulnerability)
  • Compromising the system in Apple QuickTime for Windows (high severity vulnerability) (more…)

Drupal vulnerabilitiesDangerous vulnerability has been fixed in Drupal. The most serious issue outlined in the advisory (CVE-2015-3234) allows a malicious user to log in as other users on the site, including administrators, and hijack their accounts.

The victim must have an account in a certain OpenID-providers for a successful attack.

Vulnerabilities identified in the module OpenID, allows a potential attacker to log in as an administrator. However, for a successful attack the victim must have an account associated with the OpenID-providers (for example: Verisign, LiveJournal, StackExchange, and some other). (more…)

Drupal vulnerabilitiesDue to the critical vulnerability (CVE-2014-3704) that allows an attacker to gain access to the administrator account, developers are advised to roll back to a backup or recreate the site from scratch.

According to the developers of the popular CMS (content management system) Drupal, all web-sites based on Drupal 7.x can be compromised. The problem is related to a critical vulnerability that could allow an unauthorized user to execute arbitrary SQL-queries to the database resource and uncover the administrator password.

According to the developers, attacks using this breach began immediately after after the announcement October 15 this year. Even those web-sites, which administrators have enough time to apply the update may still be compromised. (more…)


Drupal vulnerabilitiesThe critical vulnerability in Drupal (CVE-2014-3704)

In the release of web content management system Drupal 7.32 fixed a critical vulnerability (CVE-2014-3704), which allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. The vulnerability assigned the highest level of danger (Highly critical), what indicates the possibility of the remote attacks that can lead to gaining access to the system.

The vulnerability is caused by a bug in the implementation of the method “prepared statement” in thedatabase abstraction API and can be exploited by anonymous users. A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. (more…)