Security News > 2020 > November > Drupal issues emergency fix for critical bug with known exploits

Drupal issues emergency fix for critical bug with known exploits
2020-11-27 12:31

Drupal has released emergency security updates to address a critical vulnerability with known exploits that could allow for arbitrary PHP code execution on some CMS versions.

"These statistics are incomplete; only Drupal websites using the Update Status module are included in the data," Drupal says.

The critical Drupal code execution vulnerability can be exploited if the CMS is configured to allow and process.

Multiple Drupal security updates were issued to fix the bug and to allow admins to quickly patch their servers to protect them from potential attacks.

Last week, Drupal patched another critical remote code execution vulnerability tracked as CVE-2020-13671 and caused by improper filenames sanitization for uploaded files.


News URL

https://www.bleepingcomputer.com/news/security/drupal-issues-emergency-fix-for-critical-bug-with-known-exploits/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2020-11-20 CVE-2020-13671 Unrestricted Upload of File with Dangerous Type vulnerability in multiple products
Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations.
network
low complexity
drupal fedoraproject CWE-434
8.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Drupal 135 209 504 90 16 819