Drupal patched two critical remote code execution vulnerabilities which would have allowed attackers to exploit Drupal CMS installations with versions prior to 7.60, 8.6.2, and 8.5.8.
Unpatched versions of the Drupal open source content management system (CMS) are vulnerable to remote exploitation which could lead to remote code execution.
Given enough privileges associated with the user that the Drupal installation runs under, this could allow bad actors to create new accounts with full users rights, as well as view, change, delete data on the compromised target.
Therefore, compromised servers where Drupal is launched using a user with limited rights will be a lot less impacted than those where Drupal runs under an administrator account.
The remote code execution vulnerability exists within the default Drupal mail system because of improper sanitization for shell arguments, which could result in a website being fully compromised.
Multiple remote code execution vulnerabilities allow attackers to compromise Drupal versions prior to 7.60, 8.6.2, and 8.5.8
The first critical vulnerability resided in Drupal's DefaultMailSystem::mail() mailing component and it leads to RCE when sent emails contain variables which were not sanitized for shell arguments.
The second critical security issue patched by Drupal was present in the Contextual Links module which did not sufficiently validate requested contextual links.
"This vulnerability is mitigated by the fact that an attacker must have a role with the permission "access contextual links," according to Drupal's SA-CORE-2018-006 security advisory.
Drupal also patched three other security bugs which could have led to access bypass, open redirect, and anonymous open redirect conditions.
To mitigate the RCE vulnerabilities, website administrators are advised to upgrade their Drupal 7 or 8 core installation to 7.60 if they are on the 7.x branch, to Drupal 8.6.2 if they run Drupal 8.6.x, and to Drupal 8.5.8 for admins who run 8.5.x or earlier.