Description

A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised.

Remediation

Upgrade to the most recent version of Drupal 7 or 8 core.

If you are running 7.x, upgrade to Drupal 7.59.
If you are running 8.5.x, upgrade to Drupal 8.5.3.
If you are running 8.4.x, upgrade to Drupal 8.4.8.

References

Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-004

Related Vulnerabilities

Server-side JavaScript injection

WordPress Plugin Insert or Embed Articulate Content into WordPress Remote Code Execution (4.2997)

MediaWiki remote code execution

WordPress Plugin Dynamic Content for Elementor Remote Code Execution (1.9.5.6)

WordPress 'wp-admin/options.php' Remote Code Execution Vulnerability (0.6.2 - 2.3.2)

Severity

High

Classification

CVE-2018-7602 CWE-94 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Code Execution