9.8

CVE-2018-7602

Warnung
Exploit

Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-004

A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
DrupalDrupal Version >= 7.0 < 7.59
DrupalDrupal Version >= 8.4.0 < 8.4.8
DrupalDrupal Version >= 8.5.0 < 8.5.3
DebianDebian Linux Version7.0
DebianDebian Linux Version8.0
DebianDebian Linux Version9.0

13.04.2022: CISA Known Exploited Vulnerabilities (KEV) Catalog

Drupal Core Remote Code Execution Vulnerability

Schwachstelle

A remote code execution vulnerability exists within multiple subsystems of Drupal that can allow attackers to exploit multiple attack vectors on a Drupal site.

Beschreibung

Apply updates per vendor instructions.

Erforderliche Maßnahmen
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 99.24% 0.999
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 7.5 10 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:P
134c704f-9b21-4f2e-91b3-4a467353bcc0 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

http://www.securityfocus.com/bid/103985
Third Party Advisory
Broken Link
VDB Entry
http://www.securitytracker.com/id/1040754
Third Party Advisory
Broken Link
VDB Entry
https://lists.debian.org/debian-lts-announce/2018/04/msg00030.html
Third Party Advisory
Mailing List
https://www.debian.org/security/2018/dsa-4180
Third Party Advisory
https://www.drupal.org/sa-core-2018-004
Patch
Vendor Advisory
https://www.exploit-db.com/exploits/44542/
Third Party Advisory
Exploit
VDB Entry
https://www.exploit-db.com/exploits/44557/
Third Party Advisory
Exploit
VDB Entry
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-7602
US Government Resource