{"id":"CVE-2018-7600","details":"Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.","aliases":["DRUPAL-CORE-2018-002","GHSA-7fh9-933g-885p"],"modified":"2026-04-10T04:11:19.331965Z","published":"2018-03-29T07:29:00.260Z","references":[{"type":"WEB","url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-7600"},{"type":"ADVISORY","url":"https://groups.drupal.org/security/faq-2018-002"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2018/03/msg00028.html"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/103534"},{"type":"ADVISORY","url":"https://twitter.com/RicterZ/status/979567469726613504"},{"type":"ADVISORY","url":"https://twitter.com/RicterZ/status/984495201354854401"},{"type":"ADVISORY","url":"https://www.tenable.com/blog/critical-drupal-core-vulnerability-what-you-need-to-know"},{"type":"ADVISORY","url":"https://blog.appsecco.com/remote-code-execution-with-drupal-core-sa-core-2018-002-95e6ecc0c714"},{"type":"ADVISORY","url":"https://twitter.com/arancaytar/status/979090719003627521"},{"type":"ADVISORY","url":"https://www.debian.org/security/2018/dsa-4156"},{"type":"ADVISORY","url":"https://www.drupal.org/sa-core-2018-002"},{"type":"ADVISORY","url":"http://www.securitytracker.com/id/1040598"},{"type":"ADVISORY","url":"https://badpackets.net/over-100000-drupal-websites-vulnerable-to-drupalgeddon-2-cve-2018-7600/"},{"type":"ADVISORY","url":"https://github.com/a2u/CVE-2018-7600"},{"type":"ADVISORY","url":"https://www.synology.com/support/security/Synology_SA_18_17"},{"type":"REPORT","url":"https://greysec.net/showthread.php?tid=2912&pid=10561"},{"type":"FIX","url":"https://github.com/g0rx/CVE-2018-7600-Drupal-RCE"},{"type":"EVIDENCE","url":"https://www.exploit-db.com/exploits/44448/"},{"type":"EVIDENCE","url":"https://www.exploit-db.com/exploits/44449/"},{"type":"EVIDENCE","url":"https://research.checkpoint.com/uncovering-drupalgeddon-2/"},{"type":"EVIDENCE","url":"https://www.exploit-db.com/exploits/44482/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/drupal/drupal","events":[{"introduced":"0"},{"last_affected":"bc929eb17c4f4eea83cb796b7c5bbb984bf288bd"},{"introduced":"35c2f3ca5c935f3d8bde15932a712677c9bbd50f"},{"fixed":"ca315ad868680ff1d5686a07fc326eb116816049"},{"introduced":"abfe77673a5a6194ef13600e05f1ca2c5dd59db8"},{"fixed":"6424f69db19adbf6b21832ab4973d07165ee86ad"},{"introduced":"b73ab73d39dca97a12513e8a9e4f4da4b0676f5f"},{"fixed":"9798f28fe983bea94fb06ff52423355688066780"},{"introduced":"0"},{"last_affected":"497914920385b7016ac9c9367e0198530787adf2"},{"introduced":"0"},{"last_affected":"35c2f3ca5c935f3d8bde15932a712677c9bbd50f"},{"introduced":"0"},{"last_affected":"d62812dc17ce593beb2ccd4cdbee1a76c95e3fd7"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"7.57"},{"introduced":"8.0.0"},{"fixed":"8.3.9"},{"introduced":"8.4.0"},{"fixed":"8.4.6"},{"introduced":"8.5.0"},{"fixed":"8.5.1"},{"introduced":"0"},{"last_affected":"7.0"},{"introduced":"0"},{"last_affected":"8.0"},{"introduced":"0"},{"last_affected":"9.0"}]}}],"versions":["1.0","2.0","3.0.1","5.0-beta-1","5.0-beta-2","5.0-rc-1","5.0-rc-2","6.0-beta-1","6.0-beta-2","6.0-beta-3","6.0-beta-4","6.0-rc-1","6.0-rc-2","6.0-rc-3","7.0","7.0-alpha1","7.0-alpha2","7.0-alpha3","7.0-alpha4","7.0-alpha5","7.0-alpha6","7.0-alpha7","7.0-beta1","7.0-beta2","7.0-beta3","7.0-rc-1","7.0-rc-2","7.0-rc-3","7.0-rc-4","7.0-unstable-1","7.0-unstable-10","7.0-unstable-2","7.0-unstable-3","7.0-unstable-4","7.0-unstable-5","7.0-unstable-6","7.0-unstable-7","7.10","7.12","7.14","7.15","7.17","7.22","7.23","7.25","7.28","7.30","7.33","7.36","7.37","7.4","7.40","7.42","7.43","7.50","7.51","7.54","7.55","7.56","7.57","7.6","7.7","7.8","7.9","8.0.0","8.1.0-beta1","8.3.0","8.3.0-alpha1","8.3.0-beta1","8.3.0-rc1","8.3.0-rc2","8.3.2","8.3.3","8.3.5","8.3.6","8.3.8","8.4.0","8.4.1","8.4.3","8.4.4","8.4.5","8.5.0","9.0.0","9.0.0-alpha1","9.0.0-alpha2","9.0.0-beta1","9.0.0-beta2","9.0.0-beta3","9.0.0-rc1","start"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-7600.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}