Drupal released two critical security updates that if exploited could allow an attacker to take control of an affected system.

The patches are for Drupal versions 7.x, 8.5.x, and 8.6.x and can be rectified by updating to Drupal 7.62, 8.5.9 or 8.6.6.

The first critical vulnerability, CVE-2018-1000888, and has to do with a third-party component the PEAR Archive_Tar library, which itself was previously updated by its publisher to fix the aforementioned issue. CVE-2018-1000888 if exploited can lead to remote code execution. In addition, one of the known issues with Drupal specifically with this problem is a fatal error occurring when updating a site with Drush, a command line shell for Drupal.

The second vulnerability, which does not have a CVE assigned, is a remote code execution vulnerability that exists in PHP’s built-in phar stream wrapper when performing file operations on an untrusted phar:// URI. This causes a problem when some Drupal code, such as core, contrib and custom, may be performing file operations on insufficiently validated user input, thereby being exposed to this vulnerability.

The one piece of good news for those who have not yet updated to a secure version is that these code paths require admin privileges to be exploited.