Advisories

CVE-2020-13664

< Back to advisories

CVE ID – CVE-2020-13664

SECURITY RISK – Critical – 17/25 AC:Complex/A:None/CI:All/II:All/E:Theoretical/TD:Uncommon

AFFECTED PRODUCTS Drupal Core

VULNERABILITY – Remote Code Execution (RCE)

VULNERABILITY DETAILS – Drupal 8 and 9 have a remote code execution vulnerability under certain circumstances.

An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. With this directory in place, an attacker could attempt to brute force a remote code execution vulnerability.

Windows servers are most likely to be affected.

ADVICE – The vendor has released an update to patch this vulnerability:

  • If you are using Drupal 8.8.x, upgrade to Drupal 8.8.8.
  • If you are using Drupal 8.9.x, upgrade to Drupal 8.9.1.
  • If you are using Drupal 9.0.x, upgrade to Drupal 9.0.1.

CREDIT – Sam Thomas, Lorenzo Grespan 

Read the indepth research on CVE-2020-13664 >

The latest research and insights from Pentest

Looking for more than just a test provider?

Get in touch with our team and find out how our tailored services can provide you with the information security confidence you need.

Contact us today >
Pentest - CREST Accreditation
Pentest ISO 9001 Accreditation
Pentest ISO 27001 Accreditation
Pentest - Cyber Essentials Plus Accreditation
Pentest - OSCP Accreditation

/contact Us

/connect

Twitter Linkedin-in Github Youtube

/services

/about

/links

Pentest Limited is registered in England and Wales with company number 11925182

Registered address: 22 Great James Street, London, WC1N 3ES

VAT registration No: 331802826​

© 2019 - Present. Pentest Limited. All rights reserved.