Drupal has Released a Security Update for Multiple Vulnerabilities

PUBLISHED:
30 November 2018

Drupal has Released a Security Update for Multiple Vulnerabilities

Set of remote code execution vulnerabilities and other critical vulnerabilities have been discovered within multiple subsystems of Drupal 7.x and Drupal 8.x core. This will potentially allow attackers to exploit multiple attack vectors on a site running Drupal. This will result in a complete compromise of the site. As of the writing of this alert, Drupal has not identified a public exploit in the wild yet, but it is safe to say that due the criticality of the vulnerabilities, website owners should expect possible exploits to be developed and utilized maliciously. Hence, application of the now-released fix is highly recommended.

List of Vulnerabilities Discovered

• Content moderation – Moderately critical – Access bypass – Drupal 8
• External URL injection through URL aliases – Moderately Critical – Open Redirect – Drupal 7 and Drupal 8
• Anonymous Open Redirect – Moderately Critical – Open Redirect – Drupal 8
• Injection in DefaultMailSystem::mail() – Critical – Remote Code Execution – Drupal 7 and Drupal 8
• Contextual Links validation – Critical – Remote Code Execution – Drupal 8

Affected Systems:

Drupal 8 and 7 are affected.

Recommended Action:

TechCERT recommends all Drupal users update their sites to the most recent version of Drupal being used.

• • If you are running 7.x, upgrade to Drupal 7.60.
  • If you are running 8.6.x, upgrade to Drupal 8.6.2.
  • If you are running 8.5.x or earlier, upgrade to Drupal 8.5.8.

Additional Information:

• https://www.drupal.org/sa-core-2018-006