Drupal patches serious vulnerabilities in modules that allow site takeover

Content management system Drupal warns of serious vulnerabilities in three modules that make it possible to take over a site. These are modules that are used by a small number of sites; the organization estimates the total number to be between 1,000 and 10,000.

The core of the Drupal system has not been affected, the security team said in a message. The modules are Restws, Coder and Webform Multiple File upload. The functionality of the cms can be expanded with these types of modules. The vulnerabilities allow remote code execution and have been given weightings of up to 22 out of 25 points, making them very serious.

Patches for the leaks were released on Wednesday. Drupal has let via Twitter know that the Coder module does not need to be enabled to be attacked, it just needs to be located somewhere in the webroot. Drupal expects that exploits for the vulnerabilities will certainly appear within hours or days and therefore calls on users to update as soon as possible.

According to The Register, Drupal has been downloaded about 15 million times in total, compared to 30 million downloads from Joomla and 140 million downloads from WordPress.