Drupal

A severe vulnerability in Drupal’s management software was recently discovered by the Drupal CMS team. Dubbed Drupalgeddon2, the flaw (CVE-2018-7600) could allow threat actors to take over a vulnerable site simply by accessing the URL. Although, at this time, there is no proof-of-concept (PoC) code, Drupal’s security team anticipates the vulnerability will be actively exploited by threat actors within hours or days. Assigned a severity score of 21 out of 25, it is critical that owners and administrators of websites running Drupal 7.x and 8.x immediately update to Drupal 7.58 and 8.5.1, respectively. End-of-Life Drupal 6 is also affected; those running Drupal 6 may visit the Drupal 6 Long Term Support site and apply the provided patch. The NJCCIC recommends all Drupal site owners and administrators review the Drupal security advisory for more information and update their sites to a patched version immediately, or implement mitigation solutions until a patch can be applied.

AdvisoryNJCCICDrupal