Website admins who created their pages with the Drupal 7 content management system should install a security update as soon as possible. Otherwise, attackers could redirect visitors to a website they created. Criminal attackers who can use the library to create content for a vulnerable website could also use the vulnerability to attack admin accounts.
The Creators Are Already Recommending That Operators Consider The Update To A New Version
In a security warning, the Drupal developers classify the attack risk from the vulnerability as moderately critical. A CVE number to identify the vulnerability has obviously not yet been assigned. It is an open redirect vulnerability that only affects Drupal 7. If an attack is successful, attackers could lure victims to a website they control. This could happen due to an insufficient check of the destination query parameter.
Depending on the complexity of a project, a major update from Drupal means a lot of effort. Above all, extensive changes to individual modules were required in the past in order to make them executable under a new version. However, if you are now planning to update from version 7 to 8, version 9 should not be too expensive.
Drupal update is expected to be released before version 7 support ends in 2020. However, the last iteration of the 8 version and the first of the ninth should be relatively identical, only outdated code should be removed and dependencies should be updated. Users who still want or need to use Drupal in version 7 after 2021 can rely on a paid support program, which was already available during the transition from version 6 to 7, which brought major cuts. However, the minimum requirement for the version is increased to 7.1. There should also be a version of Drupal 7 that supports PHP 7.3, which is still supported until December 2021.