CVE ID – CVE-2020-13664
SECURITY RISK – Critical – 17/25 AC:Complex/A:None/CI:All/II:All/E:Theoretical/TD:Uncommon
AFFECTED PRODUCTS – Drupal Core
VULNERABILITY – Remote Code Execution (RCE)
VULNERABILITY DETAILS – Drupal 8 and 9 have a remote code execution vulnerability under certain circumstances.
An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. With this directory in place, an attacker could attempt to brute force a remote code execution vulnerability.
Windows servers are most likely to be affected.
ADVICE – The vendor has released an update to patch this vulnerability:
- If you are using Drupal 8.8.x, upgrade to Drupal 8.8.8.
- If you are using Drupal 8.9.x, upgrade to Drupal 8.9.1.
- If you are using Drupal 9.0.x, upgrade to Drupal 9.0.1.
CREDIT – Sam Thomas, Lorenzo Grespan