// For flags

CVE-2018-7602

Drupal Core Remote Code Execution Vulnerability

Severity Score

9.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

5
*Multiple Sources

Exploited in Wild

Yes
*KEV

Decision

-
*SSVC
Descriptions

A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild.

Existe una vulnerabilidad de ejecución remota de código en múltiples subsistemas de Drupal en versiones 7.x y 8.x. Esto podría permitir que los atacantes exploten múltiples vectores de ataque en un sitio de Drupal, lo que podría resultar en el compromiso del sitio. Esta vulnerabilidad está relacionada con Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Tanto SA-CORE-2018-002 como esta vulnerabilidad se están explotando "in the wild".

A remote code execution vulnerability exists within multiple subsystems of Drupal that can allow attackers to exploit multiple attack vectors on a Drupal site.

*Credits: Reported By: David Rothstein of the Drupal Security Team Alex Pott of the Drupal Security Team Heine Deelstra of the Drupal Security Team Jasper Mattsson Fixed By: David Rothstein of the Drupal Security Team xjm of the Drupal Security Team Samuel Mortenson of the Drupal Security Team Alex Pott of the Drupal Security Team Lee Rowlands of the Drupal Security Team Heine Deelstra of the Drupal Security Team Pere Orga of the Drupal Security Team Peter Wolanin of the Drupal Security Team Tim Plunkett Michael Hess of the Drupal Security Team Nate Lampton Jasper Mattsson Neil Drumm of the Drupal Security Team Cash Williams of the Drupal Security Team Daniel Wehner
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2018-03-01 CVE Reserved
  • 2018-04-26 CVE Published
  • 2018-07-17 First Exploit
  • 2022-04-13 Exploited in Wild
  • 2022-05-04 KEV Due Date
  • 2024-09-13 EPSS Updated
  • 2024-09-17 CVE Updated
CWE
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Drupal
Search vendor "Drupal"
 Drupal
Search vendor "Drupal" for product "Drupal"
 >= 7.0 < 7.59
Search vendor "Drupal" for product "Drupal" and version " >= 7.0 < 7.59"
-
Affected
Drupal
Search vendor "Drupal"
 Drupal
Search vendor "Drupal" for product "Drupal"
 >= 8.4.0 < 8.4.8
Search vendor "Drupal" for product "Drupal" and version " >= 8.4.0 < 8.4.8"
-
Affected
Drupal
Search vendor "Drupal"
 Drupal
Search vendor "Drupal" for product "Drupal"
 >= 8.5.0 < 8.5.3
Search vendor "Drupal" for product "Drupal" and version " >= 8.5.0 < 8.5.3"
-
Affected
Debian
Search vendor "Debian"
 Debian Linux
Search vendor "Debian" for product "Debian Linux"
 7.0
Search vendor "Debian" for product "Debian Linux" and version "7.0"
-
Affected
Debian
Search vendor "Debian"
 Debian Linux
Search vendor "Debian" for product "Debian Linux"
 8.0
Search vendor "Debian" for product "Debian Linux" and version "8.0"
-
Affected
Debian
Search vendor "Debian"
 Debian Linux
Search vendor "Debian" for product "Debian Linux"
 9.0
Search vendor "Debian" for product "Debian Linux" and version "9.0"
-
Affected