Acunetix DAST powers runtime capabilities for Invicti’s complete AppSec platform. Visit Invicti for more.

WEB APPLICATION VULNERABILITIES Standard & Premium

Drupal Remote Code Execution (SA-CORE-2018-002)

Description

A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised.

Remediation

Upgrade to the most recent version of Drupal 7 or 8 core.

If you are running 7.x, upgrade to Drupal 7.58.
If you are running 8.5.x, upgrade to Drupal 8.5.1.

References

Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002

Uncovering Drupalgeddon 2

Related Vulnerabilities

XWiki Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2023-35150)

WordPress Plugin EZPZ One Click Backup Remote Code Execution (12.03.10)

WordPress Plugin WP-Live Chat by 3CX Remote Code Execution (7.0.01)

Server-side JavaScript injection

WordPress Plugin Five Star Restaurant Menu-WordPress Ordering Remote Code Execution (2.2.0)

Severity

High

Classification

CVE-2018-7600 CWE-94 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Code Execution