A critical flaw in the Drupal website content management system (CMS) has been patched. The vulnerability is in the core component of the CMS and could allow a threat actor to compromise and take full control of a website.
The vulnerability was introduced in Drupal version 8.7.4 and occurs when the currently experimental Workspaces module is enabled. That creates an exploitable access bypass condition. The flaw is being tracked as CVE-2019-6342 and has been addressed in Drupal 8.7.5, which was released on July 17, 2019. No other versions of Drupal are affected.
Most users of version 8.7.4 will be affected, as the flaw is exploitable in default and common configurations. Drupal’s usage statistics indicate around 27% of Drupal users are running version 8.x of the software and may be vulnerable to attack. However, the usage statistics are incomplete as the not all sites report their Drupal versions. There could be more than the 290,958 affected websites suggested by Drupal’s stats.
The vulnerability can be exploited without any authentication or registration simply visiting a vulnerable website.
All users of Drupal should check their Drupal version and Drupal version 8.7.4 users should upgrade as soon as possible to prevent their sites being attacked. While Drupal will automatically update some installations, it is only possible if update.php is run, which clears the cache. The cache should also be cleared on a reverse proxy or content delivery network.
Any admins that cannot download and run the update immediately should consider implementing an alternative mitigation. Since the flaw exists in the Workspaces module, the simplest way of addressing the vulnerability is to deactivate that module on all sites running Drupal version 8.7.4.