2D Drupal 7 vulnerabilities that have yet to be fixed are still being exploited in the wild.
1D Drupal 8 vulnerabilities that are still exploitable are also in use.
3D Drupal 9 vulnerabilities are also being exploited.
The three Drupal 7 flaws are still used widely, but Drupal 8 has been patched.
However, 1D and 3D CVEs are still present.
The first vulnerability in 1D CVE-2016-8274 was first discovered by researcher David A. Cappelli in December 2016.
That vulnerability was patched in May 2017, but the bug has since been exploited again.
In this exploit, an attacker uses a specially crafted page to upload a malicious file to a target website.
This file contains a PHP script that creates a backdoor that is accessible to a remote attacker through a “sandbox” web page.
When a user visits the target website, the attacker will be able to download the file and execute arbitrary PHP code.
In the process, the attackers will be allowed to execute arbitrary commands and upload the malicious file.
While the exploit itself isn’t a serious problem, the exploit allows an attacker to remotely execute arbitrary scripts on the site.
This allows attackers to remotely run code on the targeted site without the user’s knowledge.
The vulnerability also allows an administrator to remotely access the affected site without being logged in, allowing an attacker control over the server.
The second vulnerability in 2D CVE–2016-8521 was first found by researcher Kevin M. Mooij in March 2017.
That CVE-2017-8578 was patched at the same time.
The exploit was patched last month.
The exploit allows a remote administrator to execute PHP code on a website, allowing for remote code execution.
In addition, the PHP code can be injected into the site by the user, allowing the attacker to take control of the target server.
In the exploit, the administrator uploads a specially modified file to the site and instructs the user to execute it.
This malicious file is called an exploit module.
The module will then download an additional file, called an attacker module.
Once the exploit module has been downloaded, it will execute the malicious code on behalf of the administrator.
Once the user clicks on the malicious exploit module, the adminuser’s control of a server can be transferred to the attacker.
Once an attacker is in control of an affected server, the victim’s browser will open a remote shell, which can be used to execute code on that server.
An attacker can then upload and execute PHP scripts to the targeted server, allowing them to perform various attacks.
In response to the attacks, several organizations and vendors have released updates to their Drupal sites to mitigate the vulnerabilities.
The following are some of the major updates that are available.
This list is updated as the vulnerabilities are patched.