Drupal updated the severity of a remote code execution (RCE) vulnerability to “Highly Critical” after experts discovered known public exploits.
Drupal released the security advisory (SA-CORE-2019-003) for a highly critical RCE bug CVE-2019-6340 that impacts Drupal 8.5.x or 8.6.x.
Some field types do not properly sanitize data from non-form sources. As a result, an attacker could then execute arbitrary PHP code in some cases.
However, the risk was raised soon after experts discovered a new exploit path.
“In the original SA we indicated this could be mitigated by blocking POST, PATCH and PUT requests to web services resources, there is now a new way to exploit this using GET requests,” Drupal added in a more recent advisory PSA-2019-02-22 on Saturday.
System admins should update to the latest versions of 8.5.x and 8.6.x to Drupal 8.5.11 and Drupal 8.6.10, respectively.
Security updates should also be applied for contributed projects after updating Drupal core.