Drupal has released a security update to address multiple vulnerabilities in its Drupal Core product version 7.x and 8.x.
Two critical bugs were fixed to include (and impacted versions):
- Injection in DefaultMailSystem::mail() – Remote Code Execution (Drupal 7 and 8)
- Contextual Links validation – Remote Code Execution (Drupal 8).
Three moderately critical bugs were also addressed:
- Content moderation – Access bypass (Drupal 8)
- External URL injection through URL aliases – Open Redirect (Drupal 7 and Drupal 8)
- Anonymous Open Redirect – Open Redirect (Drupal 8)
Admins should upgrade to the latest versions of Drupal as outlined in the advisory (SA-CORE-2018-006).