Drupal of frame of management of content opening a source is released to its Drupal 7, Drupal 8.5 and Drupal 8.6 build buy version, station script is crossed in order to repair JavaScript to atttack in JQuery of case type library and Symfony of frame of webpage application form (Cross-Site Scripting, XSS) the other issue such as flaw, drupal government suggests website administrator is updated instantly.
Because JQuery government is in April when release new edition JQuery 3.4.0, mention at the file, version existence crosses the flaw that station script atttacks before, because this Drupal is smoked,changed its integrated JQuery version. This flaw of JQuery may cause attack of the script that cross a station, use JQuery.extend(true when developer, {} , . . . ) when, can produce unexpected action, the origin thing that did not filter is included but enumerated __proto__ attribute, expand pollution gives birth to Object.prototype formerly possibly.
JQuery government is mentioned, JQuery is library of type of case of operation of a DOM, in the demonstrative movement of the person that usually meeting according to is used, although JQuery can protect security of the person that use as far as possible, but developer also should guard a pass the content that the person that use inputs, the data with filter critical with regulation. Because use partial Drupal,modular group also can suffer this flaw effect, accordingly for safe for the purpose of, this safety is repaired will push to old version forth send, include Drupal 7 and Drupal 8, but do not cover Drupal 8.5.x or be other the version that halts support.
Same a Drupal is newer, also repair 3 flaw that place of frame of Drupal core Symfony discovers, be engine of PHP pattern plate respectively jump the problem CVE-2019-10911 with CVE-2019-10910 of effectiveness of ID of service of CVE-2019-10909 of message of test and verify, test and verify and scrappy Cookie. The first flaw is developer when the theme expressing sheet that using engine of PHP pattern plate, when the message format when test and verify did not jump to may include the person that use to input again, may like JQuery flaw, have the risk that suffers attack of the script that cross a station.
The flaw of effectiveness of ID of service of the 2nd test and verify of Symfony and the first loophole are similar, also be a leak that concerns with input format test and verify, when input of the person that use what did not filter, derive new service ID, allow possibly to implement aleatoric form code, bring about Yuan Duancheng type to pile up executive attack. Scrappy flaw of the 3rd Cookie makes aggressor OK record the Cookie of the person that use, use do different identity test and verify, this is ascended to using sheet to nod (SSO) the system is particularly dangerous, may sham other user accesses be astonished guest service.