Bird_banner_small4
Drupal Core Form Rendering Remote Code Execution
TSL ID TSL20180328-07
CVE ID(s) CVE-2018-7600
Severity Critical
Description

A remote code execution vulnerability has been reported in the form rendering component of Drupal Core. The vulnerability is due to improper validation of user supplied data.

A remote attacker could exploit this vulnerability by sending crafted requests to the target system. Successful exploitation of this vulnerability could result in remote code execution under the security context of the user running the web server.

The vendor, Drupal, has released the following advisory regarding the vulnerability:

https://www.drupal.org/sa-core-2018-002

Affected Products
  • Drupal Drupal 7.x prior to 7.58
  • Drupal Drupal 8.3.x prior to 8.3.9
  • Drupal Drupal 8.4.x prior to 8.4.6
  • Drupal Drupal 8.5.x prior to 8.5.1
CVSS Score Base 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P):
  • Access vector is NETWORK
  • Access complexity is LOW
  • Level of authentication required is NONE
  • Impact of this vulnerability on data confidentiality is PARTIAL
  • Impact of this vulnerability on data integrity is PARTIAL
  • Impact of this vulnerability on data availability is PARTIAL
Temporal 5.9 (E:POC/RL:OF/RC:C):
  • The exploitability level of this vulnerability is PROOF OF CONCEPT
  • The remediation level of this vulnerability is OFFICIAL FIX
  • The report confidence level of this vulnerability is CONFIRMED
References https://gist.github.com/AlbinoDrought/626c07ee96bae21cb174003c9c710384
https://www.drupal.org/sa-core-2018-002
Related Threats