Drupalgeddon 2

ID AKB:3374FB55-2A44-4607-A9C5-265E7DE9B936
Type attackerkb
Reporter AttackerKB
Modified 2020-05-12T19:53:35


This exploits a Drupal property injection in the Forms API. Drupal 6.x, < 7.58, 8.2.x, < 8.3.9, < 8.4.6, and < 8.5.1 are vulnerable.

Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.

Recent assessments:

J3rryBl4nks at 2020-03-03T15:50:55.583984Z reported: Due to many public exploits for this flaw this is an incredibly valuable tool for an attacker to have in their arsenal. My favorite variant of this exploit is: https://github.com/g0tmi1k/Drupalgeddon2

Assessed Attacker Value: 4 Assessed Exploitability: 5 busterb at 2019-05-09T17:57:36.446335Z reported: Many versions were vulnerable, and the vulnerability was in a well-used API. The exploit took some time to develop due to a need for a deep understanding of Drupal internals (see blog post in references).

Assessed Attacker Value: 4 Assessed Exploitability: 5