Drupal has released an important security update for its open-source management software that addresses multiple critical and moderately critical vulnerabilities.
Drupal development team has warned the users to install the latest release, 7.69, 8.7.11, or 8.8.1 to prevent hackers from compromising web servers. The team also published a post about the flaws they have found in the open-source content management software’s core system. According to the post, 3 of the flaws are “moderately critical” and another one is “critical” vulnerabilities.
The critical vulnerability found in a third-party library, named Archive_Tar which is being used for creating, listing, extracting, and adding files to tar archives. The vulnerability, allows an attacker to overwrite sensitive files on a server by uploading a crafted tar file. This flaw only affects Drupal websites that are configured to process .tar, .tar.gz, .bz2, or .tlz files uploaded by untrusted users.
The other flaws in the core software can lead to denial of service, security restriction bypass, and unauthorized access. Users running vulnerable versions of Drupal are highly recommended to update their CMS to the latest Drupal core release as soon as possible.