The vulnerability could allow hackers to “completely compromise” a website created with Drupal, the company has warned
Drupal has finally released its patch for a critical vulnerability found across multiple subsystems, which could seriously threaten a website through remote code execution (RCE).
The content management system (CMS) platform issued security updates after the major flaw was discovered in versions 6, 7 and 8.
The bug could allow hackers to carry out RCE on a website created with Drupal, and could result in the site being “completely compromised”, a report read.
Attackers can exploit the issues to hack your website from any webpage, without requiring a login or elevated privileges, Drupal warned.
Hackers can manipulate or delete any data on the site – even that which wasn’t made public.
Users are advised to upgrade to the latest versions of Drupal to protect themselves against the flaw, dubbed CVE-2018-7600.
There isn’t an attack code in the wild right now, but the CMS platform warned that it’s only a matter of time before one surfaces.
Anyone running version 7 should update to 7.58, and version 8 users should patch to 8.5.1.
Versions 8.3.x and 8.4.x are no longer supported, but Drupal has patched these on this occasion.
Version 6 is end-of-life but issues can be addressed and fixed through the Drupal 6 long term support project.
Web admins were tipped off earlier this week about the updates so that they could schedule time to implement the release.
For those who are having trouble updating their sites, Drupal advised: “There are several solutions, but they are all based on the idea of not serving the vulnerable Drupal pages to visitors.
“Temporarily replacing your Drupal site with a static HTML page is an effective mitigation.
“For staging or development sites you could disable the site or turn on a ‘Basic Auth’ password to prevent access to the site.”
This latest find comes months almost exactly a month after Drupal patched a serious cross-site scripting (XSS) flaw in versions 7 and 8.
A security advisory read: “Drupal has a Drupal.checkPlan() JavaScript function which is used to escape potentially dangerous text before outputting it to HTML (as JavaScript does not typically go through Twig auto-escaping).
“This function does not correctly handle all methods of injecting malicious HTML, leading to a cross-site scripting vulnerability under certain circumstances.”Another flaw allowed users to view content and comments without permission, and to add comments to content they don’t have access to.These issues were patched.