Content management system Drupal just released a statement confirming a “highly critical” vulnerability found in versions 6, 7 and 8. According to an analysis by Sitelock, only 18% of Drupal websites are on the latest update, so there’s over one million vulnerable sites in need of the new security patch.
The vulnerability allows an attacker to take control of an affected site just by visiting it; attackers can then modify or delete the affected websites’ data. They would also have access to non-public data. Luckily the good news is, to Drupal’s knowledge, the issue is not currently being exploited.
HostDime techs are putting up a firewall block within the next few hours, but in the meantime, please update your Drupal to the latest version. Here’s the instructions per version:
If you are running 8.3.x, upgrade to Drupal 8.3.9 or apply this patch.
If you are running 8.4.x, upgrade to Drupal 8.4.6 or apply this patch.
This issue also affects Drupal 8.2.x and earlier, which are no longer supported. If you are running any of these versions of Drupal 8, update to a more recent release and then follow the instructions above.
This issue also affects Drupal 6. Drupal 6 reached End of Life in February 2016.
If you are a HostDime client with any questions, don’t hesitate to contact our 24/7 support team.
Jared Smith is HostDime’s SEO and Content Strategist.