The update plugs a security hole that exposes a million Drupal websites to attacks
Content management system (CMS) platform Drupal is urging its users to install a patch for a “highly critical” vulnerability that can be readily exploited by attackers to wrest control of any website built with this open-source software platform.
Based on which of the two branches (7.x or 8.5.x) they are using, Drupal website owners should rush to update to version 7.58 or 8.5.1. In addition, the team behind Drupal has put out fixes for older and no-longer supported versions. This includes versions 8.3 and 8.4, as well as Drupal 6, which reached its end-of life as far back as February 2016.
The organization behind Drupal assigned the remote-code execution vulnerability a risk score of 21/25. The flaw, designated CVE-2018-7600, makes it possible for an attacker to “exploit multiple attack vectors” against a website, which could then become “completely compromised”, according to the statement by the Drupal team.
What this means, according to the team, is that the attacker could access, delete and modify any non-public data on the vulnerable website powered by Drupal. No privileges or login credentials are needed to compromise the site.
The vulnerability was discovered by Jasper Mattsson, who works for a firm that conducts security audits for Drupal.
The organization behind Drupal gave a heads-up of the incoming updates seven days in advance, hinting at the severity of the problem. “The Drupal Security Team urges you to reserve time for core updates at that time because exploits might be developed within hours or days,” according to the announcement last week. No such exploits or proof-of-concept code have been spotted in the wild yet, said Drupal’s team.