TTCSIRT-196.012319: TT-CSIRT Advisory – Drupal Security Updates
Drupal has released a security update stating that a remote code execution vulnerability exists in PHP’s built-in phar stream wrapper when performing file operations on an untrusted phar:// URI.
Some Drupal code (core, contrib, and custom) may be performing file operations on insufficiently validated user input, thereby being exposed to this vulnerability.
This issue is mitigated by the fact that such code paths typically require access to an administrative permission or an atypical configuration.
|Further information on this vulnerability and how it can be mitigated can be found on the Drupal Website at https://www.drupal.org/sa-core-2019-002|