The developers of the Symfony PHP web application framework released updates that patch five vulnerabilities, three affecting the Drupal CMS.

The development team of the Symfony PHP web application framework released security updates for five issues, three of which also affects Drupal 7 and 8.

The developers of the Symfony PHP web application framework addressed a total of five vulnerabilities, three of which impact the Drupal CMS.

The flaws that affect the Drupal CMS are:

an arbitrary code flaw tracked as CVE-2019-10910;

the lack of a separator in the remember me cookie hash tracked as CVE-2019-10911;

a cross-site scripting (XSS) tracked as CVE-2019-10909.

The latest versions of Drupal also include security updates to address a jQuery vulnerability. The Moderately critical Cross Site Scripting flaw resides in the jQuery . extend ( ) function.”

“It’s possible that this vulnerability is exploitable with some Drupal modules.” reads the security advisory published by Drupal. “As a precau tion, thi s Drupal sec urity release backports the fix to jQuery.extend(), witho ut mak ing any other changes to the jQuery version that is included in Drupal core (3.2.1 for Drupal 8 and 1.4.4 for Drupal 7) or running on the site v ia some other module such as jQuery Update,”

Drupal addressed the flaw with the release of versions 8.6.15, 8.5.15 and 7.66.

Pierluigi Paganini

(SecurityAffairs – hacking, Symfony)