Remote Code Execution

Affecting drupal/drupal package, versions >=7.0.0, <7.60 || >=8.0.0, <8.5.8 || >=8.6.0, <8.6.2

Overview

drupal/drupal is an open source content management platform powering millions of websites and applications.

Affected versions of this package are vulnerable to Remote Code Execution via the contextual links module due to insufficient validation.

remediation

Upgrade drupal/drupal to versions 7.60, 8.5.8, 8.6.2 or higher.

References

Do your applications use this vulnerable package?

CVSS Score

9.8
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Credit
Nick Booher
CWE
CWE-94
Snyk ID
SNYK-PHP-DRUPALDRUPAL-72484
Disclosed
17 Oct, 2018
Published
22 Oct, 2018