9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2018-7602

GHSA ID

GHSA-297x-j9pm-xjgg

EPSS Score

0.99911%

CWE

CWE-94

Published

4/23/2024

Updated

7/5/2024

KEV Status

Yes

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2018-7602

CVE-2018-7602: Drupal Core Remote Code Execution Vulnerability

A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild.

(GitHub Advisory)

9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2018-7602

GHSA ID

GHSA-297x-j9pm-xjgg

EPSS Score

0.99911%

CWE

CWE-94

Published

4/23/2024

Updated

7/5/2024

KEV Status

Yes

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
drupal/core	composer	>= 7.0, < 7.59	7.59
drupal/core	composer	>= 8.0, < 8.4.8	8.4.8
drupal/core	composer	>= 8.5, < 8.5.3	8.5.3
drupal/drupal	composer	>= 7.0, < 7.59	7.59
drupal/drupal	composer	>= 8.0, < 8.4.8	8.4.8
drupal/drupal	composer	>= 8.5, < 8.5.3	8.5.3

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability (CVE-2018-7602) exploits Drupal's Form API and Render API. Attackers inject malicious #post_render callbacks (e.g., passthru) and #markup content via form parameters. The Renderer::render function processes these tainted render arrays, executing arbitrary code. The FormBuilder::buildForm vulnerability allows manipulation of form_build_id to trigger AJAX handlers with injected payloads. These functions lack proper input validation for user-controlled render array properties, leading to remote code execution. The exploit mechanics (form token manipulation, AJAX callback abuse) and CWE-94 alignment confirm these components as the attack surface.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* r*mot* *o** *x**ution vuln*r**ility *xists wit*in multipl* su*syst*ms o* *rup*l *.x *n* *.x. T*is pot*nti*lly *llows *tt**k*rs to *xploit multipl* *tt**k v**tors on * *rup*l sit*, w*i** *oul* r*sult in t** sit* **in* *ompromis**. T*is vuln*r**ility

Reasoning

T** vuln*r**ility (*V*-****-****) *xploits *rup*l's *orm *PI *n* R*n**r *PI. *tt**k*rs inj**t m*li*ious #post_r*n**r **ll***ks (*.*., p*sst*ru) *n* #m*rkup *ont*nt vi* *orm p*r*m*t*rs. T** R*n**r*r::r*n**r *un*tion pro**ss*s t**s* t*int** r*n**r *rr*

9.8

Basic Information

Concerned about an active attack path?

CVE-2018-7602: Drupal Core Remote Code Execution Vulnerability

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI