Drupal advisory warns users to update or risk DoS attack

Drupal, a commonly used digital content management platform, has released a security warning about a denial of service (DoS) vulnerability affecting Drupal Core.

The US Cybersecurity and Infrastructure Security Agency (CISA) is urging the millions of Drupal users to address the vulnerability as soon as possible.

The “moderately critical” vulnerability (SA-CORE-2024-001) is affecting multiple Drupal core versions, specifically regarding the system’s “comment module,” the advisory said.

CISA warns that a threat actor could exploit the vulnerability to carry out a denial-of-service (DoS) attack.

“The Comment module allows users to reply to comments,” the warning states.

“In certain cases, an attacker could make comment reply requests that would trigger a denial of service (DoS).”

“Sites that do not use the Comment module are not affected,” it said.

Affected Drupal versions include Drupal 10.1 and 10.2. which can be secured by installing the latest software versions:

  • If you are using Drupal 10.2, update to Drupal 10.2.2.
  • If you are using Drupal 10.1, update to Drupal 10.1.8.

The advisory also notes that all Drupal versions prior to 10.1 – including Drupal 8 and 9 – are end-of-life and do not receive security coverage.

Drupal 7 is not affected by the vulnerability, the company said.

Written in PHP and JavaScript, Drupal is an open source contempt management system widely used across dozens of industries and by millions of people and businesses worldwide.

Drupal is run on Unix-like and Windows operating systems.