Description:
Drupal released security updates to fix the vulnerabilities in jQuery and Symfony libraries which are included in the Drupal core. A remote attacker may send specially crafted HTTP requests to exploit the vulnerabilities.
Affected Systems:
- Drupal version 7.x, 8.5.x, 8.6.x
Impact:
A successful attack could lead to remote code execution, cross site scripting (XSS) or security restriction bypass on an affected system.
Recommendation:
The product vendor has released patches to address the issues.
- Drupal 8.6.15
https://www.drupal.org/project/drupal/releases/8.6.15
- Drupal 8.5.15
https://www.drupal.org/project/drupal/releases/8.5.15
- Drupal 7.66
https://www.drupal.org/project/drupal/releases/7.66
More Information:
https://www.drupal.org/sa-core-2019-005
https://www.drupal.org/sa-core-2019-006
https://www.us-cert.gov/ncas/current-activity/2019/04/17/Drupal-Releases-Security-Updates
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10909 (to CVE-2019-10911)
