CVE-2018-7602

A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild.
Code Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
drupalCNA
---
---
CVEADP
---
---
CISA-ADPADP
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 99%
VendorProductVersion
drupaldrupal
7.0 ≤
𝑥
< 7.59
drupaldrupal
8.4.0 ≤
𝑥
< 8.4.8
drupaldrupal
8.5.0 ≤
𝑥
< 8.5.3
debiandebian_linux
7.0
debiandebian_linux
8.0
debiandebian_linux
9.0
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
drupal7
jammy
dne
impish
dne
hirsute
dne
groovy
dne
focal
dne
eoan
dne
disco
dne
cosmic
dne
bionic
dne
artful
ignored
xenial
Fixed 7.44-1ubuntu1~16.04.0+esm1
released
trusty
Fixed 7.26-1ubuntu0.1+esm1
released
Common Weakness Enumeration
References
http://www.securityfocus.com/bid/103985
http://www.securitytracker.com/id/1040754
https://lists.debian.org/debian-lts-announce/2018/04/msg00030.html
https://www.debian.org/security/2018/dsa-4180
https://www.drupal.org/sa-core-2018-004
https://www.exploit-db.com/exploits/44542/
https://www.exploit-db.com/exploits/44557/
http://www.securityfocus.com/bid/103985
http://www.securitytracker.com/id/1040754
https://lists.debian.org/debian-lts-announce/2018/04/msg00030.html
https://www.debian.org/security/2018/dsa-4180
https://www.drupal.org/sa-core-2018-004
https://www.exploit-db.com/exploits/44542/
https://www.exploit-db.com/exploits/44557/