< Back to advisories

CVE ID – CVE-2020-13664

SECURITY RISK – Critical – 17/25 AC:Complex/A:None/CI:All/II:All/E:Theoretical/TD:Uncommon


VULNERABILITY – Remote Code Execution (RCE)

VULNERABILITY DETAILS – Drupal 8 and 9 have a remote code execution vulnerability under certain circumstances.

An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. With this directory in place, an attacker could attempt to brute force a remote code execution vulnerability.

Windows servers are most likely to be affected.

ADVICE – The vendor has released an update to patch this vulnerability:

  • If you are using Drupal 8.8.x, upgrade to Drupal 8.8.8.
  • If you are using Drupal 8.9.x, upgrade to Drupal 8.9.1.
  • If you are using Drupal 9.0.x, upgrade to Drupal 9.0.1.

CREDIT – Sam Thomas, Lorenzo Grespan 

Looking for more than just a test provider?

Get in touch with our team and find out how our tailored services can provide you with the information security confidence you need.