Drupal has issued an alert for users to patch a highly critical remote code execution vulnerability within multiple subsystems of Drupal 7.x and 8.x.
The vulnerability, CVE-2018-7600, potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised. Drupal is recommending that those running any version of 7.x upgrade to 7.58 and those with 8.x immediately upgrade to 8.5.1. Drupal issued a warning in late March that these updates would be forthcoming.
“The Drupal bug is caused due to an incomplete sanitization of parameter names, which allows an attacker to pass a well-crafted payload that starts with a “#” followed by a property name. This can allow an attacker to instantiate a class in Drupal, which in some cases means they can execute arbitrary code,” Koby Kilimnik a security researcher at Imperva told SC Media.
The issue is so severe that Drupal said it will even offer updates for several older and unsupported versions.
“Drupal 8.3.x and 8.4.x are no longer supported and we don’t normally provide security releases for unsupported minor releases. However, given the potential severity of this issue, we are providing 8.3.x and 8.4.x releases that includes the fix for sites which have not yet had a chance to update to 8.5.0,” Drupal said in a security advisory.
Kilimnik estimates about 1 million are running a version of this CMS that is vulnerable.