CVE-2018-7602

A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild.

Credits

David Rothstein

Alex Pott

Heine Deelstra

Jasper Mattsson

David Rothstein

xjm

Samuel Mortenson

Alex Pott

Lee Rowlands

Heine Deelstra

Pere Orga

Peter Wolanin

Tim Plunkett

Michael Hess

Nate Lampton

Jasper Mattsson

Neil Drumm

Cash Williams

Daniel Wehner

References

https://www.exploit-db.com/exploits/44557/

http://www.securitytracker.com/id/1040754

https://lists.debian.org/debian-lts-announce/2018/04/msg00030.html

https://www.exploit-db.com/exploits/44542/

https://www.debian.org/security/2018/dsa-4180

https://www.drupal.org/sa-core-2018-004

http://www.securityfocus.com/bid/103985