Three popular Drupal modules get patches for site takeover flaws
The security team of the popular Drupal content management system worked with the maintainers of three third-party modules to fix critical vulnerabilities that could allow attackers to take over websites.
The flaws allow attackers to execute rogue PHP code web servers that host Drupal websites with the RESTWS, Coder or Webform Multiple File Upload modules installed. These modules are not part of Drupal’s core, but are used by thousands of websites.
The RESTWS module is a popular tool for creating Rest application programming interfaces (APIs) and is currently installed on over 5,800 websites. Unauthenticated attackers can exploit the remote code execution vulnerability in its page callback functionality by sending specially crafted requests to the website.