Input Validation issue unearthed in Drupal
Target: Sites utilizing insufficiently patched versions of Drupal and site users
Attack Vector: RCE using CVE-2018-7600
Summary: The developers of the open source software Drupal have announced the existence of a major, high severity vulnerability, CVE-2018-7600. This vulnerability affects Drupal versions 7.x. and 8.x. along with certain legacy iterations of the software. The vulnerability allows for several attack vectors to be exploited using remote code execution (RCE), with any webpage utilising Drupal software vulnerable. It is estimated that over 1 million sites are vulnerable. Risk assessment summary: The threat is assessed as 3c MODERATE. There is a significant risk from this vulnerability. A threat actor could access sensitive information without any authentication, as well as modify and delete system data. However, despite all of this, the flaw has not been exploited in the wild, nor is there any exploit code publicly available. In addition, a patch is available, with relevant sites pre-notified to prepare, all mitigating.