High Threat Security Alert (A18-04-10): Vulnerability in Drupal


 

Published on: 26 April 2018

Description:

Drupal released a security update to fix a critical vulnerability (CVE-2018-7602). Multiple attack vectors could be adopted to exploit the vulnerabilities.

 

Affected Systems:

  • All versions of Drupal 6, 7 and 8.

Please also note that the support of Drupal 6 is ceased and no security updates will be provided. Users should arrange migrating to the latest version of Drupal or other supported technology.

 

Impact:

A successful attack could lead to arbitrary code execution and take control of an affected system.

 

Recommendation:

The product vendor has released patches to address the issues.

  • Drupal 8.5.3
    https://www.drupal.org/project/drupal/releases/8.5.3

  • Drupal 7.59
    https://www.drupal.org/project/drupal/releases/7.59

 

More Information:

https://www.drupal.org/sa-core-2018-002
https://www.drupal.org/sa-core-2018-004
https://groups.drupal.org/security/faq-2018-002
https://www.hkcert.org/my_url/en/alert/18042601
https://www.us-cert.gov/ncas/current-activity/2018/04/25/Drupal-Releases-Critical-Security-Updates
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7600
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7602

 



Tag: Drupal
Tags