CVE-2018-7602 | HackTesting

A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild.

Credits

Reported By: David Rothstein of the Drupal Security Team Alex Pott of the Drupal Security Team Heine Deelstra of the Drupal Security Team Jasper Mattsson Fixed By: David Rothstein of the Drupal Security Team xjm of the Drupal Security Team Samuel Mortenson of the Drupal Security Team Alex Pott of the Drupal Security Team Lee Rowlands of the Drupal Security Team Heine Deelstra of the Drupal Security Team Pere Orga of the Drupal Security Team Peter Wolanin of the Drupal Security Team Tim Plunkett Michael Hess of the Drupal Security Team Nate Lampton Jasper Mattsson Neil Drumm of the Drupal Security Team Cash Williams of the Drupal Security Team Daniel Wehner

References

https://www.exploit-db.com/exploits/44557/

http://www.securitytracker.com/id/1040754

https://lists.debian.org/debian-lts-announce/2018/04/msg00030.html

https://www.exploit-db.com/exploits/44542/

https://www.debian.org/security/2018/dsa-4180

https://www.drupal.org/sa-core-2018-004

http://www.securityfocus.com/bid/103985