On February 20, 2019, between 1 PM and 5 PM, Drupal will release a critical update for Drupal 8.5 and 8.6.
The vulnerability discovered is theoretical, which means it is not being used to attack websites at this time. However, it is considered critical because this vulnerability could be used by a remote attacker without any credentials and would permit a complete take-over of the website and server. Not all configurations are affected, so when the announcement is made public it will need to be reviewed to determine the configurations at risk. Drupal is releasing vulnerable configuration details on February 20.
I am a Drupal 7 user. What does this mean for me?
Drupal 7 core is not affected, but contributed modules may be. To be safe, Drupal 7 users should also review the announcement to determine if any of their modules are at risk.
Where do I find more information?
The Drupal PSA may be reviewed at https://www.drupal.org/psa-2019-02-19. The full announcement will be posted to https://www.drupal.org/security. We do not have any information other than what has been provided in the PSA at this time, however this post will be updated as we receive more.
If you’re looking for assistance with any vulnerabilities, please contact us.