Drupal Form API command execution

Added: 04/25/2018
CVE: CVE-2018-7600
BID: 103534

Background

Drupal is an open-source content management system written in PHP.

Problem

Insufficient sanitization on Form API AJAX requests could allow a remote attacker to execute arbitrary commands.

Resolution

Upgrade to Drupal 7.58, 8.3.9, 8.4.6, 8.5.1, or higher.

References

https://www.drupal.org/sa-core-2018-002
https://research.checkpoint.com/uncovering-drupalgeddon-2/

Limitations

Exploit works on Drupal 8.x running on Linux.

Platforms

Linux

Back to exploit index