Only do this for URLs that you actually trust Ajax requests in Drupal should never be made to untrusted URLs. Either add the URL to the "urlIsAjaxTrusted" JavaScript setting (see ajax_pre_render_element() for an example) or call ajax_set_verification_header() in the Ajax callback function to mark the current URL as trusted. In the event you have unusual Ajax code which does not work with Drupal 7.39, you can have your code manually validate the URL in one of two ways. Existing code which uses the Drupal Ajax API in any of the standard ways should continue to work after this update. The Ajax system now validates URLs before making an Ajax request.Information Disclosure in Menu Links - Access system - Drupal 6 and 7: Users without the "access content" permission can see the titles of nodes that they do not have access to, if the nodes are added to a menu on the site that the users have access to.This vulnerability is mitigated by the fact that the uploaded files would be temporary, and Drupal normally deletes temporary files automatically after 6 hours. This vulnerability could allow a malicious user to upload files to the site under another user's account. Cross-site Request Forgery - Form API - Drupal 6 and 7: A vulnerability was discovered in Drupal's form API that could allow file upload value callbacks to run with untrusted input, due to form token validation not being performed early enough.That module requires you to have a very high level of access in order to perform the attack. This vulnerability is mitigated by the fact that only one contributed module that the security team found uses the comment filtering system in a way that would trigger the vulnerability. SQL Injection - Database API - Drupal 7: A vulnerability was found in the SQL comment filtering system which could allow a user with elevated permissions to inject malicious code in SQL comments.This vulnerability is mitigated by the fact that the malicious user must be allowed to upload files. The requested URL is not sufficiently sanitized. Cross-site Scripting - Autocomplete system - Drupal 6 and 7: A cross-site scripting vulnerability was found in the autocomplete functionality of forms.Drupal 6 core is not affected, but see the similar advisory for the Drupal 6 contributed Ctools module: SA-CONTRIB-2015-141. This vulnerability is mitigated on sites that do not allow untrusted users to enter HTML. Cross-site Scripting - Ajax system - Drupal 7: A vulnerability was found that allows a malicious user to perform a cross-site scripting attack by invoking Drupal.ajax() on a whitelisted HTML element.This release fixes critical security vulnerabilities. Get started managing your Drupal installations with Installatron Use Installatron's optional Automatic Update feature to automatically apply Drupal updates as new versions are released, or use Installatron's Clone feature to duplicate an existing Drupal install to test the 7.39 upgrade prior to applying it live. Drupal version 7.39 is now available (security release).ĭrupal 7.39 can be upgraded to (or installed) using any of Installatron's products.
0 Comments
Leave a Reply. |