Security News > 2020 > June > Drupal Patches Code Execution Flaw Most Likely to Impact Windows Servers
Updates released this week by Drupal patch several vulnerabilities, including a flaw that could allow an attacker to execute arbitrary PHP code.
The code execution vulnerability, tracked as CVE-2020-13664, can be exploited against Drupal 8 and 9 installations, but only in certain circumstances.
According to Drupal developers, the issue is most likely to affect Windows servers.
"An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. With this directory in place, an attacker could attempt to brute force a remote code execution vulnerability," reads an advisory published on Wednesday for the flaw.
"The Drupal core Form API does not properly handle certain form input from cross-site requests, which can lead to other vulnerabilities," Drupal developers explained.
News URL
Related news
- New Windows Server updates cause domain controller crashes, reboots (source)
- Microsoft confirms Windows Server issue behind domain controller crashes (source)
- Microsoft releases emergency fix for Windows Server crashes (source)
- Microsoft confirms memory leak in March Windows Server security update (source)
- Microsoft: Copilot ‘app’ on Windows Server mistakenly added by Edge (source)
- Microsoft: April Windows Server updates cause NTLM auth failures (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-05-05 | CVE-2020-13664 | Command Injection vulnerability in Drupal Arbitrary PHP code execution vulnerability in Drupal Core under certain circumstances. | 9.3 |