CVE-2020-13664

< back to advisories

CVE ID – CVE-2020-13664

SECURITY RISK – Critical – 17/25 AC:Complex/A:None/CI:All/II:All/E:Theoretical/TD:Uncommon

AFFECTED PRODUCTS Drupal Core

VULNERABILITY – Remote Code Execution (RCE)

VULNERABILITY DETAILS – Drupal 8 and 9 have a remote code execution vulnerability under certain circumstances.

An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. With this directory in place, an attacker could attempt to brute force a remote code execution vulnerability.

Windows servers are most likely to be affected.

ADVICE – The vendor has released an update to patch this vulnerability:

  • If you are using Drupal 8.8.x, upgrade to Drupal 8.8.8.
  • If you are using Drupal 8.9.x, upgrade to Drupal 8.9.1.
  • If you are using Drupal 9.0.x, upgrade to Drupal 9.0.1.

CREDIT – Sam Thomas, Lorenzo Grespan 

Read the indepth research >

How can we support you?

Contact our team today to find out how we can help support your organization.

Contact us >
CREST | Pentest Limited
OSCP

/contact

Twitter Linkedin Github Youtube

/services

/about

/links

Pentest Limited is registered in England and Wales with company number 11925182

Registered address: 22 Great James Street, London, WC1N 3ES

VAT registration No: 331802826​

© Pentest Limited 2022. All rights reserved.