Drupal, the widely-used content management system powering millions of websites globally, has issued important security updates addressing vulnerabilities in six popular contributed modules. Among these, a critical flaw demands immediate attention from site administrators.
The security advisories affect modules powering essential website features including e-commerce currency tools, visitor analytics, and user authentication systems across thousands of Drupal sites.
Critical Vulnerability in JSON Field Module
The most severe issue impacts the JSON Field module, which facilitates storing and displaying JSON data on Drupal sites. Versions prior to 1.5 are vulnerable to a Cross-Site Scripting (XSS) attack, where insufficient data filtering could allow malicious code injection. This type of vulnerability can lead to compromised user accounts, data theft, or full site takeover. Although no active exploitation has been reported yet, the severity rating of 15/25 underlines the potential risk.
Access Bypass in Reverse Proxy Header Module
The Reverse Proxy Header module, commonly used in complex server environments to correctly identify client IP addresses, contains a less critical access bypass vulnerability in versions below 1.1.2. Misconfiguration combined with this flaw could allow attackers to spoof IP addresses, potentially bypassing security controls reliant on accurate IP detection. Site operators using this module should review their proxy settings in addition to applying the update.
Five other contributed modules received security patches for moderately critical issues:
- Currency Module (<3.5.0): Vulnerable to Cross-Site Request Forgery (CSRF), potentially allowing attackers to trick administrators into modifying currency settings.
- Umami Analytics (<1.0.1): Contains an XSS vulnerability related to permissions allowing arbitrary JavaScript insertion.
- Plausible Analytics (<1.0.2): Also affected by an XSS issue due to insufficient output filtering.
- Access Code Module (<2.0.5): Allows user login via access codes; flaw could let attackers guess others’ codes if they have certain permissions.
- Access Code Module (<2.0.5): Lets users sign in using access codes; flawed uniqueness checks could enable guessing attacks under certain permissions.
Drupal site owners and administrators should prioritize updating these modules to their latest versions to mitigate risks.
Given the broad use of these modules across various Drupal installations—ranging from e-commerce sites to analytics and login systems—updating promptly is critical to maintaining site security.
Visit Drupa’s security advisories webpage here for further technical details and update information.
Leave a Reply