CVE-2018-7602
Summary
| CVE | CVE-2018-7602 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2018-07-19 17:29:00 UTC |
| Updated | 2023-11-07 03:01:00 UTC |
| Description | A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild. |
Risk And Classification
EPSS: 0.990690000 probability, percentile 0.999260000 (date 2026-06-27)
CISA KEV: Listed on 2022-04-13; due 2022-05-04; ransomware use Known
Problem Types: NVD-CWE-noinfo
CISA Known Exploited Vulnerability
| Vendor | Drupal |
|---|---|
| Product | Core |
| Name | Drupal Core Remote Code Execution Vulnerability |
| Required Action | Apply updates per vendor instructions. |
| Notes | https://nvd.nist.gov/vuln/detail/CVE-2018-7602 |
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Debian | Debian Linux | 7.0 | All | All | All |
| Operating System | Debian | Debian Linux | 8.0 | All | All | All |
| Operating System | Debian | Debian Linux | 9.0 | All | All | All |
| Operating System | Debian | Debian Linux | 7.0 | All | All | All |
| Operating System | Debian | Debian Linux | 8.0 | All | All | All |
| Operating System | Debian | Debian Linux | 9.0 | All | All | All |
| Application | Drupal | Drupal | All | All | All | All |
| Application | Drupal | Drupal | All | All | All | All |
| Application | Drupal | Drupal | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code Execution (PoC) | EXPLOIT-DB | www.exploit-db.com | Exploit, Third Party Advisory, VDB Entry |
| Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code (Metasploit) | EXPLOIT-DB | www.exploit-db.com | Exploit, Third Party Advisory, VDB Entry |
| Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-004 | Drupal.org | CONFIRM | www.drupal.org | Patch, Vendor Advisory |
| Malformed Request | BID | www.securityfocus.com | Third Party Advisory, VDB Entry |
| Drupal Array Validation Flaw Lets Remote Users Execute Arbitrary Code on the Target System - SecurityTracker | SECTRACK | www.securitytracker.com | Third Party Advisory, VDB Entry |
| [SECURITY] [DLA 1365-1] drupal7 security update | MLIST | lists.debian.org | Third Party Advisory |
| Debian -- Security Information -- DSA-4180-1 drupal7 | DEBIAN | www.debian.org | Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
| CISA Known Exploited Vulnerabilities catalog | CISA | www.cisa.gov | kev |
Vendor Comments And Credit
Discovery Credit
LEGACY: Reported By: David Rothstein of the Drupal Security Team Alex Pott of the Drupal Security Team Heine Deelstra of the Drupal Security Team Jasper Mattsson Fixed By: David Rothstein of the Drupal Security Team xjm of the Drupal Security Team Samuel Mortenson of the Drupal Security Team Alex Pott of the Drupal Security Team Lee Rowlands of the Drupal Security Team Heine Deelstra of the Drupal Security Team Pere Orga of the Drupal Security Team Peter Wolanin of the Drupal Security Team Tim Plunkett Michael Hess of the Drupal Security Team Nate Lampton Jasper Mattsson Neil Drumm of the Drupal Security Team Cash Williams of the Drupal Security Team Daniel Wehner