Worse, attackers have already been spotted targeting the flaw to deliver cryptocurrency miners and other payloads
Days after the team behind Drupal urged website admins to apply an update patching a highly critical vulnerability in the content management system (CMS) platform, threat actors were spotted exploiting the loophole in the wild.
The remote code execution (RCE) vulnerability in the Drupal core was assigned a security risk score of 23/25 by the organization behind the platform. The flaw, tracked as CVE-2019-6340, stems from the fact that “some field types do not properly sanitize data from non-form sources”, which may enable attackers to execute arbitrary PHP code on vulnerable sites, reads Drupal’s security alert.
As a result, the team urged Drupal 8.6.x users to update to version 8.6.10 and those with sites running 8.5.x to update to 8.5.11. Older versions of Drupal 8 won’t receive an update, whereas no core update is required for Drupal 7. That said, sites running Drupal 7 may still be vulnerable due to the bug affecting several contributed modules, so admins were urged to check for patches to those modules.