#VU15406 Code injection in Drupal


Published: 2018-10-18

Vulnerability identifier: #VU15406

Vulnerability risk: Medium

CVSSv3.1:

CVE-ID: N/A

CWE-ID:

Exploitation vector: Network

Exploit availability:

Vulnerable software:
Drupal
Web applications / CMS

Vendor: Drupal

Description

The vulnerability allows a remote attacker to compromise vulnerable application.

The vulnerability exists due to insufficient filtration of user supplied data within the contextual links functionality. A remote authenticated attacker with privileges to access contextual links can execute arbitrary PHP code on the target system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Drupal: 8.6.0 - 8.6.1, 8.5.0 - 8.5.7

Fixed software versions

CPE

External links
http://www.drupal.org/sa-core-2018-006

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?


Latest bulletins with this vulnerability


Multiple vulnerabilities in Drupal