Websites that run the Drupal content management system run the risk of being hijacked until they're patched against a vulnerability that allows hackers to remotely execute malicious code, the open source project warned Wednesday.

CVE-2019-6340, as the flaw is tracked, stems from a failure to sufficiently validate user input, Drupal said in an advisory. Hackers who exploited the vulnerability could, in some cases, run code of their choice on vulnerable websites.

A website is only affected by this if one of the following conditions is met:

• The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests, or
• the site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7.

(Note: The Drupal 7 Services module itself does not require an update at this time, but you should still apply other contributed updates associated with this advisory if Services is in use.)

Drupal is urging administrators of vulnerable websites to update at once.

Solution:

• If you are using Drupal 8.6.x, upgrade to Drupal 8.6.10.
• If you are using Drupal 8.5.x or earlier, upgrade to Drupal 8.5.11.
  
• Be sure to install any available security updates for contributed projects after updating Drupal core.
• No core update is required for Drupal 7, but several Drupal 7 contributed modules do require updates.

Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive security coverage.

Drupal is the third most-widely used CMS behind WordPress and Joomla.