Drupal released a security advisory on April 25 local time, saying a critical vulnerability (CVE-2018-7602) affected Drupal 7.x and 8.x. Attackers could exploit this vulnerability in many ways for remote code execution. Drupal says it correlates with the previous vulnerability CVE-2018-7600 and has been found exploited by attackers.
NSFOCUS Threat Intelligence (NTI) Center shows that over 120 thousand users around the world were using Drupal last year. Most of them were located in the United States.
Drupal has released several new versions to fix this vulnerability.
Reference link:
https://www.drupal.org/sa-core-2018-004
https://www.drupal.org/sa-core-2018-002
Affected versions:
- Drupal 7.x version < 7.58
- Drupal 8.5.x version < 8.5.1
- Drupal 8.3.x version < 8.3.9
- Drupal 8.4.x version < 8.4.6
Unaffected versions:
- Drupal 7.x version 7.58
- Drupal 8.5.x version 8.5.1
- Drupal 8.3.x version 8.3.9
- Drupal 8.4.x version 8.4.6
Solutions
Drupal has released new versions to fix this vulnerability. Affected users are advised to upgrade to the new versions immediately.
Links for upgrading:
Drupal 7.58
https://www.drupal.org/project/drupal/releases/7.58
Drupal 8.5.1
https://www.drupal.org/project/drupal/releases/8.5.1
Drupal 8.3.9
https://www.drupal.org/project/drupal/releases/8.3.9
Drupal 8.4.6
https://www.drupal.org/project/drupal/releases/8.4.6
A workaround was also provided for users who are unable to upgrade their systems. But we strongly recommend users to upgrade to the new versions as soon as possible.
Reference link:
https://www.drupal.org/sa-core-2018-002