By 
Admins of the website are today forced to update their Drupal installations pursuing the revelation of a possibly crucial flaw in the web publishing software. And when we state possibly critical, we plan, someone can possibly hack and hijack your website through this vulnerability. The security flaw, appointed CVE-2019-6340, is a distant code execution vulnerability reasoned by Drupal neglecting to absolutely check information data from RESTful web services.
A prosperous exploit of the flaw would permit a hacker to distantly function harmful code on the targeted server of the website, constructively commandeering the website. Drupal has categorized the vulnerability as highly crucial, and proposes admins fix the vulnerability ASAP.
“Some field types do not properly sanitize data from non-form sources,” Team Drupal said in disclosing the vulnerability. “This can lead to arbitrary PHP code execution in some cases.”
A website is open to strike if it is Drupal 8 core powered with the RESTful Web Services module allowed, and it manages POST or PATCH demands, or the website has another web services module permitted, likely Services or RESTful Web Services, or JSON:API in Drupal 8 in Drupal 7.
The flaw can be fixed by updating to version 8.6.10 or 8.5.11 for those functioning Drupal 8. Primary versions of Drupal 8 are not assisted and will not be fetching the fix. While Drupal 7 itself is not straight vulnerable, the flaw may be existing in different given modules, so admins should inspect those for security modifications.
Meanwhile, Drupal states entire websites can mitigate the vulnerability, practically closing off the threat vector, by preventing PUT/PATCH/POST demands on web services, or through just turning off web service modules.
“Note that web services resources may be available on multiple paths depending on the configuration of your server(s),” says Team Drupal. “For Drupal 7, resources are for example typically available via paths (clean URLs) and via arguments to the “q” query argument. For Drupal 8, paths may still function when prefixed with index.php/.”
Credit for uncovering and reporting of the flaw was presented to Samuel Mortenson, who is a member of the security team of Drupal.
