29 March 2018

Urgent patch from Drupal

As a responsible security consultancy company, We want to make sure our clients are as secure as they can be regardless of whether an assessment is currently taking place.  To do this we ensure that we monitor new vulnerabilities as they come out and what the potential impact of these issues may be.

We wanted you to be aware of a new Remote Code Execution vulnerability that has been announced and resolved with an urgent patch from Drupal.

This vulnerability impacts those running Drupal 7.x and 8.x and could potentially lead to a complete compromise of a website from an entirely unauthorised perspective.  Drupal aimed to ensure that web admins were aware before the patch was released so hopefully, your organisation has taken steps to remediate this issue.

If not patches are available from Drupal and details of the issue “CVE-2018-7600” are available from their website (https://www.drupal.org/sa-core-2018-002)

(Note this issue also impacts Drupal 6 but as it is out of support it is believed that no patch will be released)