Drupal Remote Code Execution Vulnerability Alert
Recently, Drupal officially released security notices to fix multiple security issues, including two serious remote code execution vulnerabilities, affecting multiple versions of Drupal 7 and 8.
Vulnerability Overview
The vulnerability is summarized as follows:
- DefaultMailSystem::mail() Injection – Critical – Remote Code Execution
The vulnerability stems from the fact that when the mail is sent, some variables are passed to the shell for execution without proper processing, which may result in remote code execution.
- Contextual Links Validation – Critical – Remote Code Execution
The vulnerability stems from the fact that the Contextual Links module does not strictly validate the requested contextual links, resulting in a potential remote code execution. This vulnerability can only be exploited when an attacker has access to contextual links.
Affected version
- Drupal 7.x version < 7.60
- Drupal 8.6.x version < 8.6.2
- Drupal 8.5.x (and versions earlier than 5.x) version < 8.5.8
Unaffected version
- Drupal 7.x version 60
- Drupal 8.6.x version 6.2
- Drupal 8.5.x (and versions earlier than 5.x) version 8.5.8
Solution
The official version of Drupal has released the corresponding new version to fix the above vulnerability, please update the upgrade and protect the affected users as soon as possible.