Drupal 8.4.x < 8.4.6 RCE
Critical Nessus Network Monitor Plugin ID 700229
SynopsisThe remote server is hosting an outdated installation of Drupal that is vulnerable to a critical remote code execution attack vector.
DescriptionThe version of Drupal installed on the remote server is 8.4.x prior to 8.4.6, and is affected by a flaw in the 'preHandle()' function in 'core/lib/Drupal/Core/DrupalKernel.php' that is triggered as certain parameter keys within HTTP requests are not properly sanitized. This may allow a remote attacker to execute arbitrary code. This issue may be exploited using multiple unspecified attack vectors.
SolutionUpgrade to Drupal 8.4.6 or later.