Security News > 2020 > June > Drupal Patches Code Execution Flaw Most Likely to Impact Windows Servers

Drupal Patches Code Execution Flaw Most Likely to Impact Windows Servers
2020-06-18 12:37

Updates released this week by Drupal patch several vulnerabilities, including a flaw that could allow an attacker to execute arbitrary PHP code.

The code execution vulnerability, tracked as CVE-2020-13664, can be exploited against Drupal 8 and 9 installations, but only in certain circumstances.

According to Drupal developers, the issue is most likely to affect Windows servers.

"An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. With this directory in place, an attacker could attempt to brute force a remote code execution vulnerability," reads an advisory published on Wednesday for the flaw.

"The Drupal core Form API does not properly handle certain form input from cross-site requests, which can lead to other vulnerabilities," Drupal developers explained.


News URL

http://feedproxy.google.com/~r/Securityweek/~3/PCBbq11YIqA/drupal-patches-code-execution-flaw-most-likely-impact-windows-servers

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2021-05-05 CVE-2020-13664 Command Injection vulnerability in Drupal
Arbitrary PHP code execution vulnerability in Drupal Core under certain circumstances.
network
low complexity
drupal CWE-77
8.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Drupal 15 0 66 45 14 125