Drupal, a widely used digital content management platform, has raised an alarm by releasing a security warning regarding a “moderately critical” denial-of-service (DoS) vulnerability, identified as SA-CORE-2024-001, affecting multiple versions of Drupal Core. The US Cybersecurity and Infrastructure Security Agency (CISA) is actively urging the millions of Drupal users to address this vulnerability promptly to mitigate potential risks. The vulnerability specifically targets the “comment module” within the system, allowing threat actors to exploit it for carrying out denial-of-service attacks.
According to CISA, the Comment module, which facilitates user replies to comments, poses a potential risk as attackers could manipulate comment reply requests to trigger a DoS attack. Drupal versions 10.1 and 10.2 are confirmed to be affected, and users are strongly advised to update to the latest versions – Drupal 10.1.8 and Drupal 10.2.2, respectively – to secure their systems against potential exploitation. The advisory also emphasizes that Drupal versions prior to 10.1, including Drupal 8 and 9, have reached end-of-life and no longer receive security coverage. Drupal 7, however, remains unaffected by this vulnerability.
Drupal, written in PHP and JavaScript, stands as an open-source content management system widely employed across various industries by millions of users and businesses globally. Operating on Unix-like and Windows systems, Drupal plays a crucial role in managing digital content for a diverse user base.
