CVE-2018-7602: Drupal Remote Code Execution Vulnerability

On April 25, Drupal issued a security advisory saying that a high-risk vulnerability (CVE-2018-7602) affects versions of Drupal 7.x and 8.x, and an attacker can use this vulnerability to remotely execute code in different ways. Drupal officials stated that this vulnerability is related to the previous vulnerability CVE-2018-7600 and has been found to be exploited by attackers.

Affected version

• Drupal 7.x version < 7.58
• Drupal 8.5.x version < 8.5.1
• Drupal 8.3.x version < 8.3.9
• Drupal 8.4.x version < 8.4.6

Unaffected version

• Drupal 7.x version 58
• Drupal 8.5.x version 5.1
• Drupal 8.3.x version 3.9
• Drupal 8.4.x version 4.6

Solution

Drupal official has released a corresponding new version to fix the above vulnerabilities. Please update and upgrade affected users as soon as possible.

• Drupal 7.58
  https://www.drupal.org/project/drupal/releases/7.58
• Drupal 8.5.1
  https://www.drupal.org/project/drupal/releases/8.5.1
• Drupal 8.3.9
  https://www.drupal.org/project/drupal/releases/8.3.9
• Drupal 8.4.6
  https://www.drupal.org/project/drupal/releases/8.4.6

If the user is inconvenient to upgrade, Drupal also provides temporary patches to protect against this vulnerability, but it is strongly recommended that users complete the upgrade as soon as possible.