The Drupal content management system is hijacked until they're patched against a vulnerability that allows hackers to remotely execute malicious
CVE-2019-6340, as the flaw is tracked, stems from a failure to validate user input, said in an advisory. Hackers who exploited the vulnerability could, in some cases, run their choice of vulnerable websites. The flaw is rated highly critical.
"Some field types do not properly sanitize data from non-form sources," the advisory stated.
It has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests or
Project managers are urging administrators of vulnerable websites to update at once. For sites running version 8.6.x, this involved upgrading to 8.6.1
Drupal is the third most-widely used CMS. With an estimated 3 percent to 4 percent of the world's billion-plus websites, that means Drupal runs tens of millions of sites. Critical flaws in any CMS are popular with hackers, because the vulnerabilities can be unleashed against large numbers of sites with a single, often-easy-to-write script.
In 2014 and again last year, hackers wasted no time exploding extremely critical code-execution vulnerabilities shortly after they were fixed by Drupal project leaders. Last year's "Drupalgeddon2" vulnerability was silently exploited six weeks after it was patched.
At the time this post was released, there were no reports of the latest Drupal vulnerability being actively exploited in the wild. This is obviously subject to change. This post wants to be updated.