Vulnerability CVE-2018-7600
Published: 2018-03-29

Description:
Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.

See advisories in our WLB2 database:
Topic
Author
Date
High
Drupal 0day Remote PHP Code Execution (Python)
Vitalii Rudnykh
13.04.2018
High
Drupal 0day Remote PHP Code Execution (curl)
i_bo0om
13.04.2018
High
Drupal Drupalgeddon2 Remote Code Execution (Ruby)
Hans Topo
13.04.2018
High
Drupal 0day Remote PHP Code Execution (Perl)
GIST
14.04.2018

Type:

CWE-20

 (Improper Input Validation)

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.5/10
6.4/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial
Affected software
Drupal -> Drupal 
Debian -> Debian linux 

 References:
http://www.securityfocus.com/bid/103534
http://www.securitytracker.com/id/1040598
https://badpackets.net/over-100000-drupal-websites-vulnerable-to-drupalgeddon-2-cve-2018-7600/
https://blog.appsecco.com/remote-code-execution-with-drupal-core-sa-core-2018-002-95e6ecc0c714
https://github.com/a2u/CVE-2018-7600
https://github.com/g0rx/CVE-2018-7600-Drupal-RCE
https://greysec.net/showthread.php?tid=2912&pid=10561
https://groups.drupal.org/security/faq-2018-002
https://lists.debian.org/debian-lts-announce/2018/03/msg00028.html
https://research.checkpoint.com/uncovering-drupalgeddon-2/
https://twitter.com/arancaytar/status/979090719003627521
https://twitter.com/RicterZ/status/979567469726613504
https://twitter.com/RicterZ/status/984495201354854401
https://www.debian.org/security/2018/dsa-4156
https://www.drupal.org/sa-core-2018-002
https://www.exploit-db.com/exploits/44448/
https://www.exploit-db.com/exploits/44449/
https://www.exploit-db.com/exploits/44482/
https://www.synology.com/support/security/Synology_SA_18_17
https://www.tenable.com/blog/critical-drupal-core-vulnerability-what-you-need-to-know
Copyright 2024, cxsecurity.com

 

Back to Top