CVE-2018-7600
Published: 29 March 2018
Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.
From the Ubuntu Security Team
It was discovered that Drupal did not properly process certain input. An attacker could use this vulnerability to execute arbitrary code or completely compromise a Drupal site.
Priority
Status
Package | Release | Status |
---|---|---|
drupal7 Launchpad, Ubuntu, Debian |
hirsute |
Does not exist
|
artful |
Ignored
(end of life)
|
|
bionic |
Does not exist
|
|
cosmic |
Does not exist
|
|
disco |
Does not exist
|
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
impish |
Does not exist
|
|
jammy |
Does not exist
|
|
upstream |
Released
(7.58-1)
|
|
trusty |
Released
(7.26-1ubuntu0.1+esm1)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
xenial |
Released
(7.44-1ubuntu1~16.04.0+esm1)
Available with Ubuntu Pro |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 9.8 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |