Drupal has Released Critical Security Updates for Remote Code Execution Vulnerabilities

PUBLISHED:
21 February 2019

Drupal has Released Critical Security Updates for Remote Code Execution Vulnerabilities

Drupal has released patches to set of Remote Code Execution vulnerabilities. Some field types do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution in some cases.

If your site have a one of these conditions. Your site is vulnerable to this exploit:

  • The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests, or
  • the site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7.

(Note: The Drupal 7 Services module itself does not require an update at this time, but you should still apply other contributed updates associated with this advisory if Services is in use.)

Affected Systems

  • Drupal 8.6.x
  • Drupal 8.5.x
  • Drupal 7.x

Solution

TechCERT recommends applying following security patch updates at your earliest if you have any Drupal installation.

  • If you are using Drupal 8.6.x, upgrade to Drupal 8.6.10.
  • If you are using Drupal 8.5.x or earlier, upgrade to Drupal 8.5.11.
  • No core update requires for Drupal 7. But several Drupal 7 contributed modules do require updates.

More Info

https://www.drupal.org/sa-core-2019-003

13 July 2023 [NO.TCSA : 20230713-1-1-P]

Fortinet Patches Critical Remote Code Execution Vulnerability in FortiOS/FortiProxy

READ MORE READ MORE
23 June 2023 [NO.TCSA : 20230623-1-1-P]

WSO2 Releases Patches for Vulnerabilities in API Manager, Identity Server, and Other Products

READ MORE READ MORE
12 June 2023 [NO.TCSA : 20230612-1-1-P]

Fortinet Releases Urgent Patches for Critical Pre-Authentication RCE Vulnerability in Fortigate SSL-VPN Devices

READ MORE READ MORE
Read More BACK TO THREAT BULLETIN