Synology-SA-18:18 Drupal

Publish Time: 2018-04-26 13:51:34 UTC+8

Last Updated: 2020-02-21 21:17:35 UTC+8

Severity
Moderate
Status
Resolved

Abstract

A vulnerability allows remote authenticated users to execute arbitrary code via a susceptible version of Drupal and Drupal8.

Affected Products

Product Severity Fixed Release Availability
Drupal Moderate Upgrade to 7.59-0127 or above.
Drupal8 Moderate Upgrade to 8.4.8-0010 or above.

Mitigation

If you need immediate assistance, please contact security@synology.com.

Detail

  • CVE-2018-7602
    • Severity: Moderate
    • CVSS3 Base Score: 6.3
    • CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
    • A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild.

Reference

Revision

Revision Date Description
1 2018-04-26 Initial public release.
2 2018-04-30 Update for Drupal and Drupal8 are now available in Affected Products.
3 2018-08-24 Updated Detail.