The popular CMS system Drupal has been found to contain a highly critical security vulnerability that affects Drupal versions 7 and 8. The flaw has been given the CVE-2018-7600 identifier.
Drupal developers are urging admins to patch their websites as soon as possible as unpatched sites are at high risk of remote code execution. More than one million websites may be affected by the flaw if their admins leave them vulnerable.
CVE-2018-7600 Should Be Patched Immediately
Here’s the official description of CVE-2018-7600:
A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised.
The vulnerability is rated as highly critical, and could cause severe damage to a website. A vulnerable website can be hacked via remote code execution due to a missing input validation.
Last week, Drupal started informing users that a highly critical release is going to be released in the upcoming days, urging admins to patch immediately. This announcement seemed rather unusual for the CMS platform, and developers were left highly concerned.
If you are running 7.x, upgrade to Drupal 7.58, and if you are running 8.5.x, upgrade to Drupal 8.5.1, Drupal said in their advisory.