The developers of Drupal this week issued a security advisory urging users to update their software following the discovery of a highly critical remote code execution vulnerability in their open-source content management framework.
“Some field types do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution in some cases,” the advisory warns.
The vulnerability, CVE-2019-6340, only affects websites if they have the Drupal 8 core RESTful Web Services (rest) module enabled and module allows PATCH or POST requests, or if they have another web services module enabled, including JSON:API in Drupal 8 or Servicesor RESTful Web Services in Drupal 7.
Users of Drupal 8.6.x should upgrade to Drupal 8.6.10, while users of Drupal 8.5.x and earlier should switch to Drupal 8.5.11. Website operators are also advised to apply updates to certain Drupal contributed projects, even if they are using Drupal 7.
For an immediate workaround that mitigates the issue, “you can disable all web services modules, or configure your web server(s) to not allow PUT/PATCH/POST requests to web services resources,” the advisory continues.
Samuel Mortenson of the Drupal Security Team is credited with the RCE flaw’s discovery.