Millions of websites that use Drupal content management systems risk being captured until they recover from the vulnerability that allows hackers to remotely execute malicious actions. Project Managers open source code warned on Wednesday
CVE-2019-6340, as a consequence of the lack of, is due to inadequate verification of user inputs, report managers. Hackers who exploit this vulnerability may, in some cases, run code at their own option on vulnerable websites.
"Some types of fields do not correctly disinfect data from sources that are not forms," - it is indicated in the certificate. "In some cases this may lead to the arbitrary execution of the PHP code."
In order for the site to be vulnerable, you must comply with one of the following conditions:
- It has Drupal 8 module, the RESTful core and allows PATCH or POST or
- requests. It has another Web services module, for example JSON: APIs in Drupal 8, or RESTful Services or Rustful Web Services in Drupal 7
Project managers urge administrators of vulnerable websites to update somehow. For sites that are running version 8.6.x, this involves upgrading to 8.6.1
Popular Target Hacker
Drupal is the third most widely used CMS for WordPress and Joomla. Approximately 3% to 4% of the millions of websites in the world mean that Drupal launches tens of millions of sites. Critical weaknesses in any CMS are popular with hackers, as vulnerabilities can be solved against a large number of sites using a single, often easily written script.
In 2014 and again last year, hackers did not waste time exploiting critical code vulnerabilities shortly after they were fixed by Drupal project leaders. The vulnerability of last year, Drupalgeddon2, was still exploited six weeks after its correction, indicating that many Drupal sites were unable to listen to urgent corrective advice.
At the time of posting this post, there were no reports of the most current vulnerability of Drupal. This, obviously, is subject to change. This post will be updated if new information is displayed.