Another Drupal Remote Code Execution vulnerability has been discovered and was made public on April 25th, 2018, making this the 3rd vulnerability and 2nd “Highly Critical Vulnerability” to be disclosed in the last 30 days for the Drupal Core. The vulnerability (CVE-2018-7602) allows an attacker to exploit multiple attack vectors of the subsystems of Drupal 7.x and 8.x, resulting in a complete compromise of the site. There are reports that this vulnerability is currently being exploited in the wild.
Drupal 7 and Drupal 8 sites are affected and vulnerable to exploitation.
TechCERT recommends all Drupal users update their sites to the most recent version of Drupal being used at your earliest.
- If you are running 7.x, upgrade to Drupal 7.59.
- If you are running 8.5.x, upgrade to Drupal 8.5.3.
- If you are running 8.4.x, which is no longer supported, you need first to update your site to 8.4.8 release and then install the latest 8.5.3 release as soon as possible.
Note: These patches will only work if your site already has the fix from SA-CORE-2018-002 applied.