DRUPAL-CORE-2018-004

See a problem?
Import Source
https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/core/DRUPAL-CORE-2018-004.json
JSON Data
https://api.osv.dev/v1/vulns/DRUPAL-CORE-2018-004
Aliases
Published
2018-04-25T16:13:58Z
Modified
2025-12-10T23:41:10.391859Z
Summary
[none]
Details

A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild.

Updated — this vulnerability is being exploited in the wild.

References
Credits

Affected packages

Packagist / drupal/core

Package

Name
drupal/core
Purl
pkg:composer/drupal/core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
8.0.0
Fixed
8.4.8
Database specific 
{
    "constraint": ">= 8.0.0 <8.4.8"
}
Type
ECOSYSTEM
Events
Introduced
8.5.0
Fixed
8.5.3
Database specific 
{
    "constraint": ">=8.5.0 <8.5.3"
}

Affected versions

8.*

8.0.0
8.0.1
8.0.2
8.0.3
8.0.4
8.0.5
8.0.6
8.1.0-beta1
8.1.0-beta2
8.1.0-rc1
8.1.0
8.1.1
8.1.2
8.1.3
8.1.4
8.1.5
8.1.6
8.1.7
8.1.8
8.1.9
8.1.10
8.2.0-beta1
8.2.0-beta2
8.2.0-beta3
8.2.0-rc1
8.2.0-rc2
8.2.0
8.2.1
8.2.2
8.2.3
8.2.4
8.2.5
8.2.6
8.2.7
8.2.8
8.3.0-alpha1
8.3.0-beta1
8.3.0-rc1
8.3.0-rc2
8.3.0
8.3.1
8.3.2
8.3.3
8.3.4
8.3.5
8.3.6
8.3.7
8.3.8
8.3.9
8.4.0-alpha1
8.4.0-beta1
8.4.0-rc1
8.4.0-rc2
8.4.0
8.4.1
8.4.2
8.4.3
8.4.4
8.4.5
8.4.6
8.4.7
8.5.0
8.5.1
8.5.2

Database specific

affected_versions

">=7.0 <7.59 || >= 8.0.0 <8.4.8 || >=8.5.0 <8.5.3"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/core/DRUPAL-CORE-2018-004.json"