-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI
PHPPHP| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| drupal/core | composer | >= 7.0, < 7.59 | 7.59 |
| drupal/core | composer | >= 8.0, < 8.4.8 | 8.4.8 |
| drupal/core | composer | >= 8.5, < 8.5.3 | 8.5.3 |
| drupal/drupal | composer | >= 7.0, < 7.59 | 7.59 |
| drupal/drupal | composer | >= 8.0, < 8.4.8 | 8.4.8 |
| drupal/drupal | composer | >= 8.5, < 8.5.3 | 8.5.3 |
Miggo AIRoot Cause AnalysisThe vulnerability (CVE-2018-7602) exploits Drupal's Form API and Render API. Attackers inject malicious #post_render callbacks (e.g., passthru) and #markup content via form parameters. The Renderer::render function processes these tainted render arrays, executing arbitrary code. The FormBuilder::buildForm vulnerability allows manipulation of form_build_id to trigger AJAX handlers with injected payloads. These functions lack proper input validation for user-controlled render array properties, leading to remote code execution. The exploit mechanics (form token manipulation, AJAX callback abuse) and CWE-94 alignment confirm these components as the attack surface.
Ongoing coverage of React2Shell