Drupal releases security advisory for ‘serious’ Remote Code Execution vulnerability

Drupal released a security advisory for a highly critical remote execution (CVE-2019-6340) in its software. Samuel Mortenson, member of the Drupal Security Team reports that an arbitrary PHP code execution is possible due to a lack of data sanitization in certain field types linked to non-form sources.  Drupal issued the warning a day before Wednesday’s patch release.

According to Drupal’s blog, a particular site will be affected either if the site has the Drupal 8 core RESTful Web Services (rest) module enabled, allowing PATCH or POST requests, or if the site has another web services module enabled, for instance, JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7.

To address this vulnerability, Drupal has released security updates for contributed modules for Drupal 7 and Drupal 8. Drupal has also released Drupal 8.6.10 and Drupal 8.5.11 without any core update for Drupal 7. The team has also advised users to install any available security updates for contributed projects after updating Drupal core.

Besides this, the blog also states that to immediately mitigate the vulnerability, users can disable all web services modules, or configure their web server(s) to not allow PUT/PATCH/POST requests to web services resources.

According to ZDNET, Drupal is the third most popular CMS for website publishing and accounts for about three percent of the world’s billion-plus websites. Hackers could use this vulnerability to potentially hijack a Drupal site and take control of a web server and all the websites supported by it.
To know more about this announcement visit Drupal’s blog.

Read Next

Drupal 9 will be released in 2020, shares Dries Buytaert, Drupal’s founder
Google’s home security system, Nest Secure’s had a hidden microphone; Google says it was an “error”
Security researchers discloses vulnerabilities in TLS libraries and the downgrade Attack on TLS 1.3