Set of remote code execution vulnerabilities and other critical vulnerabilities have been discovered within multiple subsystems of Drupal 7.x and Drupal 8.x core. This will potentially allow attackers to exploit multiple attack vectors on a site running Drupal. This will result in a complete compromise of the site. As of the writing of this alert, Drupal has not identified a public exploit in the wild yet, but it is safe to say that due the criticality of the vulnerabilities, website owners should expect possible exploits to be developed and utilized maliciously. Hence, application of the now-released fix is highly recommended.
List of Vulnerabilities Discovred
- Content moderation - Moderately critical - Access bypass - Drupal 8
- External URL injection through URL aliases - Moderately Critical - Open Redirect - Drupal 7 and Drupal 8
- Anonymous Open Redirect - Moderately Critical - Open Redirect - Drupal 8
- Injection in DefaultMailSystem::mail() - Critical - Remote Code Execution - Drupal 7 and Drupal 8
- Contextual Links validation - Critical - Remote Code Execution - Drupal 8
Drupal 8 and 7 are affected.
TechCERT recommends all Drupal users update their sites to the most recent version of Drupal being used.