Drupal patched security vulnerabilities in Symfony, jQuery

The developers of the Symfony PHP web application framework released updates that patch five vulnerabilities, three affecting the Drupal CMS.

The development team of the Symfony PHP web application framework released security updates for five issues, three of which also affects Drupal 7 and 8.

The developers of the Symfony PHP web application framework addressed a total of five vulnerabilities, three of which impact the Drupal CMS.

The flaws that affect the Drupal CMS are:

• an arbitrary code flaw tracked as CVE-2019-10910;
• the lack of a separator in the remember me cookie hash tracked as CVE-2019-10911;
• a cross-site scripting (XSS) tracked as CVE-2019-10909.

The latest versions of Drupal also include security updates to address a jQuery vulnerability. The Moderately critical Cross Site Scripting flaw resides in the jQuery.extend() function.”

“It’s possible that this vulnerability is exploitable with some Drupal modules.” reads the security advisory published by Drupal. “As a precaution, this Drupal security release backports the fix to jQuery.extend(), without making any other changes to the jQuery version that is included in Drupal core (3.2.1 for Drupal 8 and 1.4.4 for Drupal 7) or running on the site via some other module such as jQuery Update,”

Drupal addressed the flaw with the release of versions 8.6.15, 8.5.15 and 7.66.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Symfony)

[adrotate banner=”5″]

[adrotate banner=”13″]