Drupal issued security advisory SA-CORE-2018-006 covering two critical and several moderately critical-rated issues in Drupal core versions 7.x and 8.x.

The two critical issues were both in Drupal 8, both of which could lead to remote code execution. The first was an injection in DefaultMailSystem::mail that took place when sending email some variables were not being sanitized for shell arguments, which could lead to remote code execution. The second resided in contextual links validation where that module doesn’t sufficiently validate the requested contextual links.

Both issues have been mitigated.

In Drupal 8 the organization fixed a problem in content moderation where content moderation failed to check a user’s access to use certain transitions, leading to an access bypass. This was fixed with two additional services having been injected into this service and an additional method has been added to the StateTransitionValidationInterface.

In Drupal 7 and 8 there was a vulnerability allowing external URL injection through URL aliases that under certain circumstances a user can enter a particular path triggering an open redirect to a malicious URL. Drupal fixed the issue by requiring the user needs the administer paths permission to exploit.

An anonymous open redirect in Drupal 8 was noted that could allow a malicious user to use this parameter to construct a URL that will trick users into being redirected to a third-party website exposing the users to potential social engineering attacks. This has been partially fixed through the removal of \Drupal\Core\EventSubscriber\RedirectResponseSubscriber::sanitizeDestination, Drupal reported.