Drupal REST Remote Code Execution
Description
Drupal is prone to a remote code-execution vulnerability when the REST module is enabled (by default this module is disabled). Some field types do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution.
A site is only affected by this if one of the following conditions is met:
- the site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows GET, PATCH or POST requests,
- or the site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7.
Remediation
If you are using Drupal 8.6.x, upgrade to Drupal 8.6.10. <br/> If you are using Drupal 8.5.x or earlier, upgrade to Drupal 8.5.11.<br/> Be sure to install any available security updates for contributed projects after updating Drupal core.<br/> No core update is required for Drupal 7, but several Drupal 7 contributed modules do require updates.<br/>