Remote Code Execution

Affecting drupal/core package, versions >=7.0.0, <7.60 || >=8.0.0, <8.5.8 || >=8.6.0, <8.6.2

high severity

Overview

drupal/core is an open source content management platform powering millions of websites and applications.

Affected versions of this package are vulnerable to Remote Code Execution via the contextual links module due to insufficient validation.

remediation

Upgrade drupal/core to versions 7.60, 8.5.8, 8.6.2 or higher.

References

Do your applications use this vulnerable package?

Credit
Nick Booher
CWE
CWE-94
Snyk ID
SNYK-PHP-DRUPALCORE-72481
Disclosed
21 Oct, 2018
Published
22 Oct, 2018