Security Alert (A19-04-06): Multiple Vulnerabilities in Drupal

Description:

Drupal released security updates to fix the vulnerabilities in jQuery and Symfony libraries which are included in the Drupal core.  A remote attacker may send specially crafted HTTP requests to exploit the vulnerabilities.

Affected Systems:

• Drupal version 7.x, 8.5.x, 8.6.x

Impact:

A successful attack could lead to remote code execution, cross site scripting (XSS) or security restriction bypass on an affected system.

Recommendation:

The product vendor has released patches to address the issues.

• Drupal 8.6.15
  This link will open in a new windowhttps://www.drupal.org/project/drupal/releases/8.6.15
  
  
• Drupal 8.5.15
  This link will open in a new windowhttps://www.drupal.org/project/drupal/releases/8.5.15
  
  
• Drupal 7.66
  This link will open in a new windowhttps://www.drupal.org/project/drupal/releases/7.66
  
  

More Information:

This link will open in a new windowhttps://www.drupal.org/sa-core-2019-005
This link will open in a new windowhttps://www.drupal.org/sa-core-2019-006
This link will open in a new windowhttps://www.us-cert.gov/ncas/current-activity/2019/04/17/Drupal-Releases-Security-Updates
This link will open in a new windowhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10909 (to CVE-2019-10911)