CVE-2018-7602

Description

A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild.

How to fix CVE-2018-7602

To remediate CVE-2018-7602, upgrade the affected package to a fixed version below.

• —upgrade to 7.14-2+deb7u19 or later
• —upgrade to 7.32-1+deb8u12 or later
• —upgrade to 8.4.8 or later
• —upgrade to 7.59 or later
• —upgrade to 7.59 or later

Is CVE-2018-7602 being exploited?

Yes — CVE-2018-7602 is on the CISA Known Exploited Vulnerabilities (KEV) catalog. Patch immediately.

Affected packages (5)

• from 0, < 7.14-2+deb7u19
• from 0, < 7.32-1+deb8u12
• >= 8.0.0, < 8.4.8 | >= 8.5.0, < 8.5.3
• >= 7.0, < 7.59
• >= 7.0, < 7.59

CVSS scores

References (10)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2018-7602
• PATCHgithub.com/drupal/core
• WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2018-7602.yaml
• WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2018-7602.yaml