High Threat Security Alert (A18-04-10): Vulnerability in Drupal

Description:

Drupal released a security update to fix a critical vulnerability (CVE-2018-7602). Multiple attack vectors could be adopted to exploit the vulnerabilities.

Affected Systems:

• All versions of Drupal 6, 7 and 8.

Please also note that the support of Drupal 6 is ceased and no security updates will be provided. Users should arrange migrating to the latest version of Drupal or other supported technology.

Impact:

A successful attack could lead to arbitrary code execution and take control of an affected system.

Recommendation:

The product vendor has released patches to address the issues.

• Drupal 8.5.3
  This link will open in a new windowhttps://www.drupal.org/project/drupal/releases/8.5.3
  
  
• Drupal 7.59
  This link will open in a new windowhttps://www.drupal.org/project/drupal/releases/7.59

More Information:

This link will open in a new windowhttps://www.drupal.org/sa-core-2018-002
This link will open in a new windowhttps://www.drupal.org/sa-core-2018-004
This link will open in a new windowhttps://groups.drupal.org/security/faq-2018-002
This link will open in a new windowhttps://www.hkcert.org/my_url/en/alert/18042601
This link will open in a new windowhttps://www.us-cert.gov/ncas/current-activity/2018/04/25/Drupal-Releases-Critical-Security-Updates
This link will open in a new windowhttp://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7600
This link will open in a new windowhttp://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7602