Security News > 2020 > November > Drupal issues emergency fix for critical bug with known exploits
2020-11-27 12:31
Drupal has released emergency security updates to address a critical vulnerability with known exploits that could allow for arbitrary PHP code execution on some CMS versions.
"These statistics are incomplete; only Drupal websites using the Update Status module are included in the data," Drupal says.
The critical Drupal code execution vulnerability can be exploited if the CMS is configured to allow and process.
Multiple Drupal security updates were issued to fix the bug and to allow admins to quickly patch their servers to protect them from potential attacks.
Last week, Drupal patched another critical remote code execution vulnerability tracked as CVE-2020-13671 and caused by improper filenames sanitization for uploaded files.
News URL
Related news
- Critical Ivanti RCE flaw with public exploit now used in attacks (source)
- Qualcomm Urges OEMs to Patch Critical DSP and WLAN Flaws Amid Active Exploits (source)
- Exploit code for critical GitLab auth bypass flaw released (CVE-2024-45409) (source)
- Akira and Fog ransomware now exploit critical Veeam RCE flaw (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-11-20 | CVE-2020-13671 | Unrestricted Upload of File with Dangerous Type vulnerability in multiple products Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. | 8.8 |