Security News > 2020 > June > Drupal Patches Code Execution Flaw Most Likely to Impact Windows Servers
Updates released this week by Drupal patch several vulnerabilities, including a flaw that could allow an attacker to execute arbitrary PHP code.
The code execution vulnerability, tracked as CVE-2020-13664, can be exploited against Drupal 8 and 9 installations, but only in certain circumstances.
According to Drupal developers, the issue is most likely to affect Windows servers.
"An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. With this directory in place, an attacker could attempt to brute force a remote code execution vulnerability," reads an advisory published on Wednesday for the flaw.
"The Drupal core Form API does not properly handle certain form input from cross-site requests, which can lead to other vulnerabilities," Drupal developers explained.
News URL
Related news
- Week in review: Windows Server 2025 gets hotpatching option, PoC for SolarWinds WHD flaw released (source)
- Microsoft fixes Remote Desktop issues caused by Windows Server update (source)
- Microsoft deprecates PPTP and L2TP VPN protocols in Windows Server (source)
- Exploit released for new Windows Server "WinReg" NTLM Relay attack (source)
- Microsoft confirms Windows Server 2025 blue screen, install issues (source)
- Windows Server 2025 released—here are the new features (source)
- Microsoft blames Windows Server 2025 automatic upgrades on 3rd-party tools (source)
- Microsoft fixes bugs causing Windows Server 2025 blue screens, install issues (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-05-05 | CVE-2020-13664 | Command Injection vulnerability in Drupal Arbitrary PHP code execution vulnerability in Drupal Core under certain circumstances. | 8.8 |