Highly Critical Drupal CMS Flaw Affects Millions of Websites | Threatpost | The first stop for security news

The Drupal open-source content management system platform has issued an advisory for a highly critical remote-code execution (RCE) flaw in the Drupal core.

The vulnerability (CVE-2019-6340) arises from the fact that “some field types do not properly sanitize data from non-form sources,” according to Drupal’s Wednesday advisory, which was published a day after it warned admins that a major security update was coming.

Insufficient input validation can result in various kinds of code injection, opening the door for cross-site scripting, site or server hijacking, and in some cases can be used to phish user credentials or spread malware. Drupal said that the vulnerability in question can lead to arbitrary PHP code-execution in some cases.


CMS flaws are coveted by cybercriminals since they provide access to potentially millions of vulnerable sites at once. For its part, Drupal provides a back-end framework for at least 4.6 percent of all websites worldwide – ranging from personal blogs to corporate, political and government sites. Though that percentage sounds tiny, it’s the third-most popular web platform in the world after WordPress and Joomla; and given that there are around 1.6 billion websites online today, that works out to Drupal powering about 73.6 million of them.

Those using Drupal 8.6.x can upgrade to Drupal 8.6.10 to fix the issue; and those using Drupal 8.5.x or earlier can upgrade to Drupal 8.5.11. The Drupal 7 Services module itself is meanwhile unaffected, but admins should still apply other contributed updates, the team said.

Affected contributed projects include 0Auth 2.0, Entity Registration, Font Awesome Icons, JSON:API and RESTful Web Services, among others, so admins also need to grab updates for those if they’re in use.

There is some inherent mitigation for the issue: A site is only affected by the flaw if it has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests; or if the site has another web-services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7.

To mitigate the vulnerability before applying the updates, admins should disable all web services modules, or configure web servers to not allow PUT/PATCH/POST requests to web services resources.

“Note that web services resources may be available on multiple paths depending on the configuration of your server(s),” according to the advisory. “For Drupal 7, resources are for example typically available via paths (clean URLs) and via arguments to the ‘q’ query argument. For Drupal 8, paths may still function when prefixed with index.php/.”

Interested in learning about mobile enterprise security threats and best practices? Don’t miss our free Threatpost webinar on Feb. 27 at 2 p.m. ET.

Join Threatpost senior editor Tara Seals, Patrick Hevesi of Gartner; Mike Burr of Google Android; and David Richardson from Lookout.

They’ll discuss the top evolving threats and risks that are unique to this work-from-anywhere environment; best practices for addressing them; and new challenges on the horizon, such as 5G services.