Two Critical RCE Bugs Patched in Drupal 7 and 8

Drupal is urging users to upgrade to the latest release that fixes two critical remote code execution bugs impacting Drupal 7 and Drupal 8. Developers have also identified three additional “moderately critical” vulnerabilities.

“A remote attacker could exploit some of these vulnerabilities to take control of an affected system,” according to a security bulletin posted by the United States Computer Emergency Readiness Team (US CERT).

The critical bugs, disclosed this week, include an injection vulnerability in the default Drupal mail backend, which uses PHP’s mail function [DefaultMailSystem::mail()] in Drupal 7 and 8.

Read more…
Source: ThreatPost