Drupal security update

Drupal has released a security update to address multiple vulnerabilities in its Drupal Core product version 7.x and 8.x.

Two critical bugs were fixed to include (and impacted versions): 

  • Injection in DefaultMailSystem::mail() – Remote Code Execution (Drupal 7 and 8)
  • Contextual Links validation – Remote Code Execution (Drupal 8).

Three moderately critical bugs were also addressed: 

  • Content moderation – Access bypass (Drupal 8)
  • External URL injection through URL aliases – Open Redirect (Drupal 7 and Drupal 8)
  • Anonymous Open Redirect – Open Redirect (Drupal 8)

Admins should upgrade to the latest versions of Drupal as outlined in the advisory (SA-CORE-2018-006).