OS command injection in Drupal

#VU15405 OS command injection in Drupal

Published: 2018-10-18

Vulnerability identifier: #VU15405

Vulnerability risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: N/A

CWE-ID: CWE-78

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Drupal
Web applications / CMS

Vendor: Drupal

Description

The vulnerability allows a remote authenticated attacker to compromise vulnerable system.

The vulnerability exists due to insufficient sanitization of the user-supplied input when sending email messages via DefaultMailSystem::mail() function. A remote attacker can inject and execute arbitrary OS commands on the vulnerable system with privileges of the web server.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Drupal: 8.6.0 - 8.6.1, 8.5.0 - 8.5.7, 7.0 - 7.60

External links
http://www.drupal.org/sa-core-2018-006

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Debian update for drupal7

Multiple vulnerabilities in Drupal