Critical Vulnerabilities in Drupal

Drupal is a free, open source software that can be used to easily create and manage many types of Web sites. Drupal also includes a Content Management Platform and a development framework. A set of critical vulnerabilities was identified and fixed in Drupal, the most severe of which could allow an attacker to overwrite sensitive files on a targeted server. Drupal has also pointed out that a proof of concept code exists for the vulnerability and could soon be incorporated in wide-spread attacks considering the popularity of Drupal websites.

Highly Critical Vulnerabilities

  • SA-CORE-2019-012 patches multiple highly critical vulnerabilities affecting a third party library Archive_Tar, used by Drupal in certain configurations. The vendor states that multiple vulnerabilities are possible when Drupal is configured to allow upload and processing of  .tar, .tar.gz, .bz2 or .tlz files. An attacker can exploit this vulnerability to overwrite sensitive files by uploading maliciously crafted .tar files.

Moderately Critical Vulnerabilities

  • SA-CORE-2019-009 : A flaw exists in install.php which can be used by an unauthenticated attacker to corrupt the cached data, leading to a denial of service condition caused by impairment of a site until the caches are rebuilt. Drupal suggests blocking access to install.php if it is not required.
  • SA-CORE-2019-010 : Multiple flaws reside in file_save_upload() function which can allow an attacker with the ability to upload files to bypass security protections by overwriting arbitrary files such as .htaccess . This bug exists because the file_save_upload() function does not strip the leading and trailing dot (‘.’) from filenames.
  • SA-CORE-2019-011 : A flaw exists in the Media Library module which allows attackers with low privileges to gain unauthorized access to sensitive data. This vulnerability arises due to improper restrictions on access to media files in certain configurations.

Affected Products

Drupal versions 7.x before 7.69, 8.7.x before 8.7.11, 8.8.x before 8.8.1


An attacker can upload malicious files to overwrite sensitive files, bypass security restrictions, gain unauthorized access to sensitive data and cause denial of service condition.


Upgrade to Drupal 7.69, 8.7.11, or 8.8.1 or later.


Subscribe For More Posts Like This

Get the latest research, best practices, industry trends and cybersecurity blogs from SecPod security experts

Invalid email address
We promise not to spam you. You can unsubscribe at any time.
0 0 votes
Article Rating
Notify of
Inline Feedbacks
View all comments