Drupal has released security updates to address a vulnerability affecting Drupal CMS 7, 9.4, 9.5 and 10.0 versions. Successful exploitation of these vulnerabilities could allow for remote code execution or an attacker could take control of an unpatched system.  

Security Risks

Vulnerability, identified as SA-CORE-2023-005, could potentially allow an attacker to bypass certain access controls and gain unauthorized access to sensitive data or perform unauthorized actions. It is important for Drupal users to update their software as soon as possible to address this security risk.

For the full list of security updates released by Drupal , please refer to Drupal Security Advisories

Recommended Actions

The National Cyber Security Authority recommends all Drupal users and administrators to install the latest version as follows:

• If you are using Drupal 10.0, update to Drupal 10.0.8.

• If you are using Drupal 9.5, update to Drupal 9.5.8.

• If you are using Drupal 9.4, update to Drupal 9.4.14.

• If you are using Drupal 7, update to Drupal 7.96.

All versions of Drupal 9 prior to 9.4.x are end-of-life  and do not receive security coverage. Note that Drupal 8 has reached its end of life.

Drupal users and administrators should continually check for software versions and update as new versions become available.

For further information and support, please contact the National Cyber Security Authority (NCSA) by email to rwcsirt@ncsa.gov.rw or call us on 9009

References

Drupal Security Advisories

https://endoflife.date/drupal

Drupal core - Moderately critical - Access bypass - SA-CORE-2023-005