Security News > 2020 > June > Drupal Patches Code Execution Flaw Most Likely to Impact Windows Servers
Updates released this week by Drupal patch several vulnerabilities, including a flaw that could allow an attacker to execute arbitrary PHP code.
The code execution vulnerability, tracked as CVE-2020-13664, can be exploited against Drupal 8 and 9 installations, but only in certain circumstances.
According to Drupal developers, the issue is most likely to affect Windows servers.
"An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. With this directory in place, an attacker could attempt to brute force a remote code execution vulnerability," reads an advisory published on Wednesday for the flaw.
"The Drupal core Form API does not properly handle certain form input from cross-site requests, which can lead to other vulnerabilities," Drupal developers explained.
News URL
Related news
- Recent Windows Server 2025 updates cause Remote Desktop freezes (source)
- Microsoft fixes auth issues on Windows Server, Windows 11 24H2 (source)
- Microsoft: Windows Server 2025 restarts break connectivity on some DCs (source)
- New Windows Server emergency updates fix container launch issue (source)
- Microsoft fixes Windows Server 2025 blue screen, install issues (source)
- Microsoft pitches pay-to-patch reboot reduction subscription for Windows Server 2025 (source)
- Microsoft: Windows Server hotpatching to require subscription (source)
- Microsoft: April updates cause Windows Server auth issues (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-05-05 | CVE-2020-13664 | Command Injection vulnerability in Drupal Arbitrary PHP code execution vulnerability in Drupal Core under certain circumstances. | 8.8 |