CVE-2018-7600

NameCVE-2018-7600
DescriptionDrupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1325-1, DSA-4156-1
Debian Bugs894259

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
drupal7 (PTS)wheezy7.14-2+deb7u12vulnerable
wheezy (security)7.14-2+deb7u18fixed
jessie7.32-1+deb8u9vulnerable
jessie (security)7.32-1+deb8u11fixed
stretch7.52-2+deb9u2vulnerable
stretch (security)7.52-2+deb9u3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
drupal7source(unstable)7.58-1894259
drupal7sourcejessie7.32-1+deb8u11DSA-4156-1
drupal7sourcestretch7.52-2+deb9u3DSA-4156-1
drupal7sourcewheezy7.14-2+deb7u18DLA-1325-1

Notes

https://www.drupal.org/sa-core-2018-002
https://groups.drupal.org/security/faq-2018-002
https://www.drupal.org/psa-2018-001
Drupal 7.x Patch: https://cgit.drupalcode.org/drupal/rawdiff/?h=7.x&id=2266d2a83db50e2f97682d9a0fb8a18e2722cba5

Search for package or bug name: Reporting problems