frame

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

CVE-2018-7602 is Drupalgeddon2's offspring

The latest Drupal core vulnerability, designated, SA-CORE-2018-004 and assigned CVE-2018-7602, is related to the March SA-CORE-2018-002 flaw (CVE-2018-7600), according to the Drupal security team. It can be exploited to take over a website's server, and allow miscreants to steal information or alter pages.

The flaw they are exploiting is a remote code execution (RCE) bug that affects both Drupal 7.x and 8.x versions. The vulnerability is rated 20 out of 25 on Drupal's own severity scale, meaning it can give attackers complete control over an attacked site.

The flaws is related to how Drupal handles the "#" character used in its URLs, and the lack of input sanitization applied to parameters supplied via the "#" character.

The fix is to upgrade to the most recent version of Drupal 7 or 8 core. The latest code can be found at Drupal's website. For those running 7.x, that means upgrading to Drupal 7.59. For those running, 8.5.x, the latest version if 8.5.3. And for those still on 8.4.x, there's an upgrade to 8.4.8, despite the fact that as an unsupported minor release, the 8.4.x line would not normally get security updates.

Tagged:
Sign In or Register to comment.

Computer Talk Forum

| Computer and Internet Discussion
@ 2020 Computer Talk Forum, All rights reserved. Material Design is a design language developed by Google. Material Design makes more liberal use of grid-based layouts and responsive animations and transitions.
Powered by VanillaForums, Designed by ThemeDorks

Resources

Continue the discussion