Thursday, March 21, 2019

Drupal core SA-CORE-2019-004 Cross Site Scripting vulnerability

A new Drupal version was released recently to address a security issue. Under certain circumstances, the File module/subsystem allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerability. You can find more information at SA-CORE-2019-004.

For new application deployments, including those performed through the Bitnami Launchpad, we have released Drupal 8.6.13 and 7.65 for containers, installers, virtual machines, cloud images, and Multi-Tier solutions. We also updated the Drupal based solutions (CiviCRM and OpenAtrium). If you deploy any of these solutions and they have not yet been updated to the latest version, you will need to follow the upgrade process described in our documentation.

If you have further questions about this security issue, please post to our community forum, where we will be happy to help.