CVE-2018-7600: Remote Code Execution vulnerability on Drupal 7.x, 8.3.x, 8.4.x
On March 28, Drupal officially issued an important update. A serious security vulnerability involving Drupal 7.x, 8.3.x, 8.4.x, and 8.5.x versions. A remote code execution vulnerability (CVE-2018-7600) exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised. Because the vulnerability is very serious and attackers can use this vulnerability to attack quickly, the Drupal security team recommends that users reserve sufficient time for updates and protection.
Drupal is an open source content management framework (CMF) written in the PHP language. It consists of a content management system (CMS) and a PHP development framework.
Affected version
- Drupal version 7.x
- Drupal version 8.3.x
- Drupal version 8.4.x
- Drupal version 8.5.x
Unaffected version
The official version of the detailed version will be released next week.
Solution
Drupal will release a full version of the update patch, please keep your attention and update it for protection.
While Drupal 8.3.x and 8.4.x are no longer supported and we don’t normally provide security releases for unsupported minor releases, given the potential severity of this issue, we areproviding 8.3.x and 8.4.x releases that include the fix for sites which have not yet had a chance to update to 8.5.0. The Drupal security team strongly recommends the following:
- Sites on 8.3.x should immediately update to the 8.3.x release that will be provided in the advisory, and then plan to update to the latest 8.5.x security release in the next month.
- Sites on 8.4.x should immediately update to the 8.4.x release that will be provided in the advisory, and then plan to update to the latest 8.5.x security release in the next month.
- Sites on 7.x or 8.5.x can immediately update when the advisory is released using the normal procedure.
Source: Drupal