Drupal critical flaw

Filip Pokorný

Feb. 21, 2019

Critical vulnerability (CVE-2019-6340) has been discovered in popular content management system (CMS) Drupal that allows for remote code execution by an unauthenticated attacker. A site is only affected by this if one of the following conditions is met:

  • the site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests, or
  • the site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7.

All users and administrators are encouraged to review security advisory from Drupal Security team and apply necessary updates.