Search icon CANCEL
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon

Drupal releases security advisory for ‘serious’ Remote Code Execution vulnerability

Save for later
  • 2 min read
  • 22 Feb 2019

article-image

Drupal released a security advisory for a highly critical remote execution (CVE-2019-6340) in its software. Samuel Mortenson, a member of the Drupal Security Team reports that an arbitrary PHP code execution is possible due to a lack of data sanitization in certain field types linked to non-form sources.  Drupal issued the warning a day before Wednesday’s patch release.

According to Drupal's blog, a particular site will be affected either if the site has the Drupal 8 core RESTful Web Services (rest) module enabled, allowing PATCH or POST requests, or if the site has another web services module enabled, for instance, JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7.

To address this vulnerability, Drupal has released security updates for contributed modules for Drupal 7 and Drupal 8. Drupal has also released Drupal 8.6.10 and Drupal 8.5.11 without any core update for Drupal 7. The team has also advised users to install any available security updates for contributed projects after updating Drupal core.

Besides this, the blog also states that to immediately mitigate the vulnerability, users can disable all web services modules, or configure their web server(s) to not allow PUT/PATCH/POST requests to web services resources.

According to ZDNET, Drupal is the third most popular CMS for website publishing and accounts for about three percent of the world's billion-plus websites. Hackers could use this vulnerability to potentially hijack a Drupal site and take control of a web server and all the websites supported by it.
To know more about this announcement visit Drupal’s blog.


Drupal 9 will be released in 2020, shares Dries Buytaert, Drupal’s founder
Google’s home security system, Nest Secure’s had a hidden microphone; Google says it was an “error”
Security researchers discloses vulnerabilities in TLS libraries and the downgrade Attack on TLS 1.3

 

Unlock access to the largest independent learning library in Tech for FREE!
Get unlimited access to 7500+ expert-authored eBooks and video courses covering every tech area you can think of.
Renews at €18.99/month. Cancel anytime