Remote Code Execution Vulnerabilities in Drupal 7 Third-party Modules

On This Page

Security Alerts

January 9, 2023

Jan 09
LastPass Security Incident

March 31, 2022

Mar 31
Vulnerability in the Spring Framework (CVE-2022-22965)

December 10, 2021

Dec 10
Critical Vulnerability in log4j (CVE-2021-44228)

September 14, 2021

Sep 14
Critical vulnerability in Apple products

July 27, 2021

Jul 27
MacOS, iPadOS, and iOS Local Privilege Escalation Vulnerability (CVE-2021-30807)
News Archive
July 13, 2016
Josh Kwan

Summary

Highly critical remote code execution vulnerabilities have been announced by the Drupal security team for the third-party modules RESTWS, Coder, and Webform Multiple File Upload. [1] [2] [3]

Open Berkeley Drupal sites managed by IST Web Platform Services are NOT affected. However, ISP is aware there are many unmanaged Drupal sites on campus. Owners of Drupal sites not on the Open Berkeley platform should inspect their configuration immediately.

Impact

Successful exploitation of these vulnerabilities will allow remote, arbitrary PHP code execution against affected Drupal sites.

Vulnerable

  • RESTful Web Services module 7.x-2.x versions prior to 7.x-2.6. [1]
  • RESTful Web Services module 7.x-1.x versions prior to 7.x-1.7. [1]
  • Coder module 7.x-1.x versions prior to 7.x-1.3. [2]
  • Coder module 7.x-2.x versions prior to 7.x-2.6. [2]
  • Webform Multifile module 7.x-1.x versions prior to 7.x-1.4 [3]

Recommendations

  • If your Drupal site is not on the Open Berkeley platform, check your configuration for the affected modules and install the available security patches. [1] [2] [3]
  • NOTE: The Coder module vulnerability can be exploited even when the module is disabled. Either uninstall the module or update immediately. [2]
  • Contact IST Web Platform Services for a consultation to have your site hosted and managed on the Open Berkeley platform. Open Berkeley sites regularly receive security updates. [5]

References