CMS platform issues update to address numerous critical issues.

Drupal, the open source content management framework, has patched a critical vulnerability that left users exposed to a cross-site scripting (XSS) attack, the platform’s security team has confirmed.

A vulnerability in Drupal versions 7 and 8 could have led to an XSS attack under certain circumstances, it was reported last week.

Drupal released a security advisory that read: “Drupal has a Drupal.checkPlan() JavaScript function which is used to escape potentially dangerous text before outputting it to HTML (as JavaScript does not typically go through Twig auto-escaping).

“This function does not correctly handle all methods of injecting malicious HTML, leading to a cross-site scripting vulnerability under certain circumstances.”

Another flaw found in the CMS allowed users to view content and comments without permission, and to add comments to content they don’t have access to.

Both of the vulnerabilities were rated ‘critical’ by Drupal, which has since released a patch for the flaws, as well as numerous other vulnerabilities marked ‘moderately critical’.

These included a private file access bypass vulnerability that meant Drupal failed to check whether a user had permission before allowing them to download files.

The patches were released in versions 8.4.5 and 7.57, and Drupal urged its users to update.

Drupal was forced to patch another vulnerability back in August that fixed a number of critical access bypass flaws.