March 2018

Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002

Project: Drupal core
Date: 2018-March-28
Security risk: *Highly critical* 21∕25
Vulnerability: Remote Code Execution


CVE: CVE-2018-7600

A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised.

Exif - Critical - Access bypass - SA-CONTRIB-2018-017

Project: Exif
Version: 8.x-1.x-dev
Date: 2018-March-21
Security risk: *Critical* 16∕25
Vulnerability: Access bypass


This module enables you to retrieve image metadata and use them in fields or

The module doesn't sufficiently restrict access to module setting pages
thereby causing an access bypass vulnerability.

This vulnerability is mitigated by the fact that an attacker must have
permission to create entities of certain content entity types.

JSON API - Moderately critical - Access Bypass - SA-CONTRIB-2018-016

Project: JSON API
Version: 8.x-1.x-dev
Date: 2018-March-21
Security risk: *Moderately critical* 11∕25
Vulnerability: Access Bypass


This module provides a JSON API standards-compliant API for accessing and
manipulating Drupal content and configuration entities.

The module doesn't sufficiently check access when viewing related resources
or relationships, thereby causing an access bypass vulnerability.

Drupal 8.5.0 has been just released

What's new in Drupal 8.5.0?

This new version makes Media module available for all, improves migrations significantly, stabilizes the Content Moderation and Settings Tray modules, serves dynamic pages faster with BigPipe enabled by default, and introduces a new experimental entity layout user interface. The release includes several very important fixes for workflows of content translations and supports running on PHP 7.2.