Drupal Remote Code Execution Vulnerability Alert

Recently, Drupal officially released security notices to fix multiple security issues, including two serious remote code execution vulnerabilities, affecting multiple versions of Drupal 7 and 8.

Drupal Remote Code Execution

Vulnerability Overview

The vulnerability is summarized as follows:

  1. DefaultMailSystem::mail() Injection – Critical – Remote Code Execution

The vulnerability stems from the fact that when the mail is sent, some variables are passed to the shell for execution without proper processing, which may result in remote code execution.

  1. Contextual Links Validation – Critical – Remote Code Execution

The vulnerability stems from the fact that the Contextual Links module does not strictly validate the requested contextual links, resulting in a potential remote code execution. This vulnerability can only be exploited when an attacker has access to contextual links.

Affected version

  • Drupal 7.x version < 7.60
  • Drupal 8.6.x version < 8.6.2
  • Drupal 8.5.x (and versions earlier than 5.x) version < 8.5.8

Unaffected version

Solution

The official version of Drupal has released the corresponding new version to fix the above vulnerability, please update the upgrade and protect the affected users as soon as possible.