Set of remote code execution vulnerabilities and other critical vulnerabilities have been discovered within multiple subsystems of Drupal 7.x and Drupal 8.x core. This will potentially allow attackers to exploit multiple attack vectors on a site running Drupal. This will result in a complete compromise of the site. As of the writing of this alert, Drupal has not identified a public exploit in the wild yet, but it is safe to say that due the criticality of the vulnerabilities, website owners should expect possible exploits to be developed and utilized maliciously. Hence, application of the now-released fix is highly recommended.
List of Vulnerabilities Discovered
Drupal 8 and 7 are affected.
TechCERT recommends all Drupal users update their sites to the most recent version of Drupal being used.