9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.976 High
EPSS
Percentile
100.0%
Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.
Recent assessments:
J3rryBl4nks at March 03, 2020 3:50pm UTC reported:
Due to many public exploits for this flaw this is an incredibly valuable tool for an attacker to have in their arsenal. My favorite variant of this exploit is: <https://github.com/g0tmi1k/Drupalgeddon2>
busterb at May 09, 2019 5:57pm UTC reported:
Due to many public exploits for this flaw this is an incredibly valuable tool for an attacker to have in their arsenal. My favorite variant of this exploit is: <https://github.com/g0tmi1k/Drupalgeddon2>
hrbrmstr at May 12, 2020 7:54pm UTC reported:
Due to many public exploits for this flaw this is an incredibly valuable tool for an attacker to have in their arsenal. My favorite variant of this exploit is: <https://github.com/g0tmi1k/Drupalgeddon2>
Assessed Attacker Value: 4
Assessed Attacker Value: 4Assessed Attacker Value: 5
www.securityfocus.com/bid/103534
www.securitytracker.com/id/1040598
badpackets.net/over-100000-drupal-websites-vulnerable-to-drupalgeddon-2-cve-2018-7600
blog.appsecco.com/remote-code-execution-with-drupal-core-sa-core-2018-002-95e6ecc0c714
blog.rapid7.com/2018/04/27/drupalgeddon-vulnerability-what-is-it-are-you-impacted
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7600
github.com/a2u/CVE-2018-7600
github.com/g0rx/CVE-2018-7600-Drupal-RCE
github.com/rapid7/metasploit-framework/pull/9876
greysec.net/showthread.php?tid=2912&pid=10561
groups.drupal.org/security/faq-2018-002
lists.debian.org/debian-lts-announce/2018/03/msg00028.html
research.checkpoint.com/uncovering-drupalgeddon-2
twitter.com/arancaytar/status/979090719003627521
twitter.com/RicterZ/status/979567469726613504
twitter.com/RicterZ/status/984495201354854401
www.debian.org/security/2018/dsa-4156
www.drupal.org/sa-core-2018-002
www.exploit-db.com/exploits/44448
www.exploit-db.com/exploits/44449
www.exploit-db.com/exploits/44482
www.synology.com/support/security/Synology_SA_18_17
www.tenable.com/blog/critical-drupal-core-vulnerability-what-you-need-to-know
www.us-cert.gov/ncas/alerts/aa20-133a
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.976 High
EPSS
Percentile
100.0%