Critical vulnerabilities in the one of Drupal plugin were tracked, which could be exploited by attackers to take complete control of the affected Drupal site. An Attacker can use this bug to hack the Drupal website by using a specially crafted “X-Original-URL” or “X-Rewrite-URL” HTTP header.
Drupal’s maintenance staff solved the security bypass vulnerability by releasing a new version of the popular content management system version 8.5.6.
CVE-2018-14773
Affected version
Symfony 2.7.0 to 2.7.48, 2.8.0 to 2.8.43, 3.3.0 to 3.3.17, 3.4.0 to 3.4.13, 4.0.0 to 4.0.13 and 4.1.0 to 4.1.2
Drupal 8.x versions before 8.5.6
Unaffected version
Symfony 2.7.49, 2.8.44, 3.3.18, 3.4.14, 4.0.14 and 4.1.3
Drupal 8.5.6
Solution
Upgrade to the unaffected version.