Drupal has today released an official patch for all Drupal 8 websites, mitigating the potential for a critical vulnerability in the content management system.
Drupal has today (February 20, 2019) released a fix for the critical security vulnerability, referenced as CVE-2019-6340, which resolves a major flaw in the content management system.
The security team at Drupal urge all site administrators and developers to update all installations of Drupal 8 to the latest version of the CMS, which is now Drupal 8.6.10.
If you're running a version of Drupal 8 prior to 8.5, it is recommended that you upgrade to at least version Drupal 8.5.11 immediately.
Versions of Drupal 8 previous to this are no longer supported, and therefore do not receive security updates of any kind.
Drupal 7 users have also been prompted to verify that their website is not running any affected contributed modules, as this can introduce the security flaw into version 7 of the CMS as well.
Thankfully, sites running Drupal 7 do not require an update to the core CMS.
The security vulnerability has been rated as 20/25 according to Drupal's official security scoring system.
This makes the vulnerability highly critical. An anonymous attacker could theoretically take over an entire Drupal site, able to access non-public information.
The vulnerability relates to remote code execution, related to Drupal's use of PHP.
Your Drupal installation should remain secure, as long as:
- a) your Drupal sites have been updated to the latest respective of Drupal, and
- b) you are not running a version of Drupal between Drupal 8.0.0 and 8.5.10, and
- c) if your version of Drupal 7 uses any affected modules, that they have been updated, and
- d) any other contributed modules used by your website, whether Drupal 7 or 8.5.11, or 8.6+, are running the latest secure release.
If any of the above conditions have not been met, you are urged to update to the latest version of Drupal and all contributed modules ASAP.
For any enquiries related to the security of your Drupal site, feel free to contact our team of dedicated Drupal security experts.