Critical Vulnerability Exposes Drupal Websites
While analyzing the security of Drupal, security researcher Jasper Mattsson discovered a remote code execution vulnerability that impacts all versions of the open source content management system. The vulnerability, CVE-2018-7600, which was assigned a score of 21/25, can be exploited by accessing a page on a targeted Drupal website. Once successfully exploited, it gives the attacker full control over a site, including access to non-public data and the possibility to delete or modify system data.
Although this vulnerability affects over one million websites, it has been patched with the following releases:
- Drupal 7.58
- Drupal 8.5.1
- Drupal 8.3.9
- Drupal 8.4.6
Workarounds are available, but all require drastic changes to the current website which temporarily replaces the Drupal page with a static HTML page. Users are urged to upgrade their installations to the latest versions as soon as possible.