On March 28, 2018, Drupal issued an advisory that highlighted an RCE vulnerability in various versions of Drupal. This was later renamed Drupalgeddon2. Drupal version 6 was introduced with the Form API, which was used to alter data during form rendering, and, in Drupal 7, this was generalized as renderable arrays. Renderable arrays contain metadata in a key-value structure and are used in the rendering process:
[ '#type' => 'email', '#title => '<em> Email Address</em>', '#prefix' => '<div>', '#suffix' => '</div>' ]
Let's now learn about this forms-based vulnerability.