9.8

CVSS Score

3.0

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2018-7600

CVE-2018-7600: Drupal Core Remote Code Execution Vulnerability

Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2018-7600

CVE-2018-7600:

9.8

CVSS Score

3.0

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
drupal/core	composer	>= 7.0, < 7.58	7.58
drupal/core	composer	>= 8.0, < 8.3.9	8.3.9
drupal/core	composer	>= 8.4.0, < 8.4.6	8.4.6
drupal/core	composer	>= 8.5.0, < 8.5.1	8.5.1
drupal/drupal	composer	>= 7.0, < 7.58	7.58
drupal/drupal	composer	>= 8.0, < 8.3.9	8.3.9
drupal/drupal	composer	>= 8.4, < 8.4.6	8.4.6
drupal/drupal	composer	>= 8.5, < 8.5.1	8.5.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from insufficient input validation in Drupal's Form API and rendering system. Attackers could inject array keys starting with '#' (e.g., #post_render, #lazy_builder) via user-controlled parameters like the registration form's mail field. These keys were processed by FormBuilder::doBuildForm and Renderer::renderRoot, which executed callbacks without proper authorization. The absence of RequestSanitizer::stripDangerousValues in vulnerable versions allowed this injection. The exploit leveraged AJAX callbacks (e.g., element_parents) to trigger rendering of malicious arrays, leading to RCE. The patch introduced input sanitization to strip dangerous keys, confirming the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

9.8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2018-7600: Drupal Core Remote Code Execution Vulnerability

CVE-2018-7600:

9.8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

9.8

9.8

Basic Information

Basic Information

Technical Details

CVE-2018-7600: Drupal Core Remote Code Execution Vulnerability

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI