Drupal finally addressed the critical CVE-2018-7600 Drupalgeddon2 vulnerability

The Drupal development team has fixed the drupalgeddon2 vulnerability that could be exploited by an attacker to take over a website.

A few days ago, Drupal Security Team confirmed that a “highly critical” vulnerability, tracked as CVE-2018-7600, affects Drupal 7 and 8 core and announced the availability of security updates on March 28th.

The vulnerability was discovered by the Drupal developers Jasper Mattsson.

Both Drupal 8.3.x and 8.4.x are not supported, but due to the severity of the flaw the Drupal Security Team decided to address it with specific security updates.

Now the Drupal development team has fixed the vulnerability that could be exploited by an attacker to run arbitrary code on the CMS core component and take over a website just by accessing an URL.

The Drupal CMS currently runs on over one million websites, it is the second most popular content management system behind WordPress.

Website administrators should immediately upgrade their sites to Drupal 7.58 or Drupal 8.5.1.

The flaw was dubbed Drupalgeddon2 after the CVE-2014-3704 Drupalgeddon security vulnerability that was discovered in 2014 that was exploited in numerous successful attacks in the wild.

The good news is that at the time there is no public proof-of-concept code available online.

The Drupal team also issued security patches for the 6.x versions that were discontinued in February 2016.

“This issue also affects Drupal 6. Drupal 6 is End of Life. For more information on Drupal 6 support please contact a D6LTS vendor.” continues the advisory.