A few days ago, Drupal Security Team confirmed that a “highly critical” vulnerability, tracked as CVE-2018-7600, affects Drupal 7 and 8 core and announced the availability of security updates on March 28th.
The vulnerability was discovered by the Drupal developers Jasper Mattsson.
Both Drupal 8.3.x and 8.4.x are not supported, but due to the severity of the flaw the Drupal Security Team decided to address it with specific security updates.
Now the Drupal development team has fixed the vulnerability that could be exploited by an attacker to run arbitrary code on the CMS core component and take over a website just by accessing an URL.
The Drupal CMS currently runs on over one million websites, it is the second most popular content management system behind WordPress.
Website administrators should immediately upgrade their sites to Drupal 7.58 or Drupal 8.5.1.
The flaw was dubbed Drupalgeddon2 after the CVE-2014-3704 Drupalgeddon security vulnerability that was discovered in 2014 that was exploited in numerous successful attacks in the wild.
The good news is that at the time there is no public proof-of-concept code available online.
“A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised.” reads the security advisory published by Drupal.
Upgrade to the most recent version of Drupal 7 or 8 core.
The Drupal team took the site offline before the announcement to do a version upgrade, and now the site doesn’t work ???
— Kevin Beaumont, Actual Porg ? (@GossiTheDog) March 28, 2018
The Drupal team also issued security patches for the 6.x versions that were discontinued in February 2016.
“This issue also affects Drupal 6. Drupal 6 is End of Life. For more information on Drupal 6 support please contact a D6LTS vendor.” continues the advisory.
|[adrotate banner=”9″]||[adrotate banner=”12″]|
(Security Affairs – Drupal, Drupalgeddon2)