Developers have identified three additional moderately critical vulnerabilities in Drupal 7 and 8. US CERT: Remote attacker could exploit some of these vulnerabilities to take control of an affected system. The bugs include an injection vulnerability in the default Drupal mail backend, which uses PHP s mail function [DefaultMailSystem::mail()] in. Drupal also acknowledged three other bugs in its advisory released by the Drupal developer community. The company advised users to upgrade to the most recent version of. Drupal 7 or 8 core.
Source: https://threatpost.com/two-critical-rce-bugs-patched-in-drupal-7-and-8/138468/