Websites running the Drupal, Joomla, or Typo3 content-management systems are vulnerable to attacks that could possibly execute malicious code until administrators install just-released patches, developers and security researchers warned.
The vulnerability resides in the PharStreamWrapper, a PHP component developed and open-sourced by CMS maker Typo3. Indexed as CVE-2019-11831, the flaw stems from a path-traversal bug that allows hackers to swap a site’s legitimate phar archive with a malicious one. A phar archive is used to distribute a complete PHP application or library in a single file, in much the way a Java archive file bundles many Java files into a single file.
In an advisory published Wednesday, Drupal developers rated the severity of the vulnerability affecting their CMS as moderately critical. That’s well below the highly critical rating of a recent Drupal vulnerability and earlier remote-execution flaws that took on the name “Drupalgeddon.” Still, the vulnerability represents enough of a risk that administrators should patch it as soon as possible.