Drupal developers informed users that version 8.7.4 is affected by a critical flaw, tracked as CVE-2019-6342, that could be exploited by attackers to take control of Drupal 8 websites. Users have to update to version 8.7.5 to address the vulnerability.
The issue resides in the Drupal 8.7.4, it is an access bypass vulnerability that can be triggered when the experimental Workspaces module is enabled.
The vulnerability can be mitigated by disabling the Workspaces module.
“For sites with the Workspaces module enabled, update.php needs to run to ensure a required cache clear. If there is a reverse proxy cache or content delivery network (e.g. Varnish, CloudFlare) it is also advisable to clear these as well.” continues the advisory.
The development team pointed out that the flaw only affects Drupal 8.7.4 release, earlier versions are not affected.
The flaw was reported by the Dave Botsch, the good news is that there is no evidence of cyber attacks exploiting the flaw in the wild. Anyway,
The U.S. Department of Homeland Security (DHS) has also published a security update for the CVE-2019-6342 flaw.
Drupal websites are privileged targets for hackers, in the past several campaigns leveraged other flaws in the popular CMS. In February, just three days after the CVE-2019-6340 flaw was addressed, threat actors in the wild started exploiting the issue to deliver