Websites created on one of the robust CMS, Drupal are hosting an extremely critical vulnerability which leaves the websites open to attacks. This vulnerability lets an attacker leverage more than one attack vectors and take the entire control of website. This vulnerability has been marked severe by a team of Drupal developers. With this, hackers can easily take control of a Drupal based website just by visiting it.
According to the Drupal’s official security advisory,“ A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised”
To resolve this issue, Drupal has launched two of its new versions and is suggesting all other websites should be updated as soon as possible. It is recommended that Drupal 7 users must upgrade to Drupal 7.58 and Drupal 8 users should upgrade to Drupal 8.5.1
In case, users fail to install the new Drupal update, a separate Drupal security patch has been released. However, in case of minor releases that are not supported by the Drupal team, a new update and security patch has also been released keeping the potential severity of issue in mind. It means Drupal 8.3.x need to upgrade to Drupal 8.3.9 and Drupal 8.4.x should upgrade to Drupal 8.4.6
This vulnerability was discovered in an effort to encourage users plan and upgrade as soon as the patches become available. Users using the older versions of Drupal are advised to upgrade to a recent one, except Drupal 6 which has now reached end of its official support team. Now, it is quite fortunate that no attacks have been reported after the vulnerability has been exploited.