The vulnerability could allow hackers to “completely compromise” a website created with Drupal, the company has warned.
The content management system (CMS) platform issued security updates after the major flaw was discovered in versions 6, 7 and 8.
The bug could allow hackers to carry out RCE on a website created with Drupal, and could result in the site being “completely compromised”, a report read.
Attackers can exploit the issues to hack your website from any webpage, without requiring a login or elevated privileges, Drupal warned.
Hackers can manipulate or delete any data on the site – even that which wasn’t made public.
Users are advised to upgrade to the latest versions of Drupal to protect themselves against the flaw, dubbed CVE-2018-7600.
There isn’t an attack code in the wild right now, but the CMS platform warned that it’s only a matter of time before one surfaces.
Anyone running version 7 should update to 7.58, and version 8 users should patch to 8.5.1.
Versions 8.3.x and 8.4.x are no longer supported, but Drupal has patched these on this occasion.
Version 6 is end-of-life but issues can be addressed and fixed through the Drupal 6 long term support project.
Web admins were tipped off earlier this week about the updates so that they could schedule time to implement the release.
For those who are having trouble updating their sites, Drupal advised: “There are several solutions, but they are all based on the idea of not serving the vulnerable Drupal pages to visitors.
“Temporarily replacing your Drupal site with a static HTML page is an effective mitigation.
“For staging or development sites you could disable the site or turn on a ‘Basic Auth’ password to prevent access to the site.”
This latest find comes months almost exactly a month after Drupal patched a serious cross-site scripting (XSS) flaw in versions 7 and 8.