The remote execution flaw exists because some field types do not properly sanitize data from non-form sources and this can be exploited to achieve arbitrary PHP code execution. It is deemed highly critical because it can be exploited by unauthenticated attackers and only requires easily achievable user interaction (a visit to a malicious page).
Still, there are some good news: it was discovered by Samuel Mortenson of the Drupal Security Team, is currently not being exploited in the wild, and there is still no public exploit code or documentation on exploit development.
An additional mitigating factor is that only specific site configurations are affected by this vulnerability. Sites are affected if they have:
- The Drupal 8 core RESTful Web Services (rest) module enabled and allow PATCH or POST requests, or
- Another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7.
Fixes are available
The vulnerability has already been patched and users are advised to upgrade their installations to version 8.6.10 or 8.5.11.
“Be sure to install any available security updates for contributed projects after updating Drupal core,” the security team warned. “No core update is required for Drupal 7, but several Drupal 7 contributed modules do require updates.”
If a quick update is impossible, users can mitigate the danger by disabling all web services modules or configuring their web servers to not allow PUT/PATCH/POST requests to web services resources.