Drupal has released paches to set of Remote Code Executoion vulnerabilties. Some field types do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution in some cases.
If your site have a one of these conditions. Your site is vulnerable to this exploit:
- The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests, or
- the site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7.
(Note: The Drupal 7 Services module itself does not require an update at this time, but you should still apply other contributed updates associated with this advisory if Services is in use.)
- Drupal 8.6.x
- Drupal 8.5.x
- Drupal 7.x
TechCERT recommends applying following security patch updates at your earliest if you have any Drupal installation.
- If you are using Drupal 8.6.x, upgrade to Drupal 8.6.10.
- If you are using Drupal 8.5.x or earlier, upgrade to Drupal 8.5.11.
- No core update requires for Drupal 7. But several Drupal 7 contributed modules do require updates.