Security update for CMS Drupal
A critical security hole has been closed in versions 4.7.6 and 5.1 of the Drupal content management system. Developers say that the vulnerability allowed attackers to get control of the server. The flaw was found in the preview of comments, which are not processed with the usual form validation functions. Attackers could exploit the flaw to execute arbitrary code. However, only users / attackers who are authorized to make comments and have access to multiple input filters could exploit the flaw. Usually, users only have access to one filter. As a workaround, the developers recommend switching off the comments module or revoking the rights to make comments for all users.
- Drupal core Arbitrary code execution security advisory at Drupal.org