If you have a custom website that is not in shared hosting, we'll let you know by email when we're done. If you have a shared hosting account, you can follow our progress by following our support team on Twitter. ActionĪll Drupal 7 & 8 websites that are hosted with Enrega will be updated by our support team. For more information about the update process, please see our security updates for your website page. To mitigate the incompatibility that has been identified, all Drupal 7 & 8 websites should be updated. By finding ways of injecting malicious scripts into web pages, an attacker can gain elevated access-privileges to sensitive page content, to session cookies, and to a variety of other information maintained by the browser on behalf of the user. When the resulting combined content arrives at the client-side web browser, it has all been delivered from the trusted source, and thus operates under the permissions granted to that system. A cross-site scripting vulnerability may be used by attackers to bypass access controls and exploit known vulnerabilities in web-based applications, their servers, or the plug-in systems on which they rely.Įxploiting one of these, attackers fold malicious content into the content being delivered from the compromised site. A zero-day vulnerability, denoted by the CVE identifier CVE-2023-30777, exposes a dangerous reflected cross-site scripting (XSS) flaw. XSS enables attackers to inject client-side scripts into web pages viewed by other users. What is a Cross Site Scripting vulnerability?Ĭross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. With a combination of versatility and extensibility, jQuery has changed the way that millions of people write JavaScript. JQuery is a feature-rich JavaScript library that greatly simplifies JavaScript programming. It makes things like HTML document traversal and manipulation, event handling, animation, and Ajax much simpler with an easy-to-use API that works across a multitude of browsers. It must be noted that it is unlikely that this vulnerability has been exploited on websites that are hosted by Enrega because the hosting configuration blocks Cross Site Scripting by default. As a precaution, this Drupal security release back-ports the fix to the jQuery.extend() function, without making any other changes to the jQuery version that is included in Drupal core (3.2.1 for Drupal 8 and 1.4.4 for Drupal 7). This is why it is important to take extra security measures when using Drupal, such as installing security modules and using secure passwords. The jQuery project released version 3.4.0, and as part of that, disclosed a security vulnerability that affects all prior versions. It's possible that this vulnerability is exploitable with some Drupal modules. While Drupal does have some built-in security measures, such as user permissions and password encryption, it is still vulnerable to attack. The updates mitigate a Cross Site Scripting vulnerability that has been identified in the jQuery library which is included with all versions of Drupal. Test for cross-site scripting (XSS) vulnerabilities, by attempting to inject. Drupal has released a moderately critical security update for both Drupal 8 (version 8.6.15) and Drupal 7 (version 7.66). Check for known vulnerabilities in the Drupal version currently in use.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |