Project: Drupal core
Security risk: *Critical* 17∕25
Vulnerability: Remote Code Execution
For Drupion customers
Please make sure to have your website covered by our auto-update feature as described on https://www.drupion.com/blog/automatic-drupal-core-updates-website-basis.... If for some reason you prefer not to enable the autoupdate feature, then please ask your developers to perform this security update as soon as possible. Alternatively, you can file a support request on https://dashboard.drupion.com and we will gladly update your websites.
A remote code execution vulnerability exists within multiple subsystems of
Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple
attack vectors on a Drupal site, which could result in the site being
compromised. This vulnerability is related to Drupal core - Highly critical -
Remote Code Execution - SA-CORE-2018-002. While SA-CORE-2018-002 is being
exploited in the wild, this vulnerability is not known to be in active
exploitation as of this release.
Upgrade to the most recent version of Drupal 7 or 8 core.
If you are unable to update immediately, or if you are running a Drupal distribution that does not yet include this security release, you can attempt to apply the patch below to fix the vulnerability until you are able to update completely:
These patches will only work if your site already has the fix from