CVE-2018-7602 is Drupalgeddon2's offspring

The latest Drupal core vulnerability, designated, SA-CORE-2018-004 and assigned CVE-2018-7602, is related to the March SA-CORE-2018-002 flaw (CVE-2018-7600), according to the Drupal security team. It can be exploited to take over a website's server, and allow miscreants to steal information or alter pages.

The flaw they are exploiting is a remote code execution (RCE) bug that affects both Drupal 7.x and 8.x versions. The vulnerability is rated 20 out of 25 on Drupal's own severity scale, meaning it can give attackers complete control over an attacked site.

The flaws is related to how Drupal handles the "#" character used in its URLs, and the lack of input sanitization applied to parameters supplied via the "#" character.

The fix is to upgrade to the most recent version of Drupal 7 or 8 core. The latest code can be found at Drupal's website. For those running 7.x, that means upgrading to Drupal 7.59. For those running, 8.5.x, the latest version if 8.5.3. And for those still on 8.4.x, there's an upgrade to 8.4.8, despite the fact that as an unsupported minor release, the 8.4.x line would not normally get security updates.

Sign In or Register to comment.