advisory_details

CVE-2020-13664

CVE ID – CVE-2020-13664

SECURITY RISK – Critical – 17/25 AC:Complex/A:None/CI:All/II:All/E:Theoretical/TD:Uncommon

AFFECTED PRODUCTS Drupal Core

VULNERABILITY – Remote Code Execution (RCE)

VULNERABILITY DETAILS – Drupal 8 and 9 have a remote code execution vulnerability under certain circumstances.

An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. With this directory in place, an attacker could attempt to brute force a remote code execution vulnerability.

Windows servers are most likely to be affected.

ADVICE – The vendor has released an update to patch this vulnerability:

  • If you are using Drupal 8.8.x, upgrade to Drupal 8.8.8.
  • If you are using Drupal 8.9.x, upgrade to Drupal 8.9.1.
  • If you are using Drupal 9.0.x, upgrade to Drupal 9.0.1.

CREDIT – Sam Thomas, Lorenzo Grespan