Drupal released security updates to address multiple security vulnerabilities, including a “critical” flaw tracked as CVE-2020-13664 that could be exploited by an attacker to execute arbitrary PHP code.
The CVE-2020-13664 flaw affects both versions 8 and 9, but experts pointed out that it could be exploited only in certain circumstances and most likely impacts Windows Servers.
“Drupal 8 and 9 have a remote code execution vulnerability under certain circumstances.” reads the advisory published by Drupal.
“An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. With this directory in place, an attacker could attempt to brute force a remote code execution vulnerability. Windows servers are most likely to be affected.”
Drupal also addressed a critical cross-site request forgery (CSRF) vulnerability tracked as CVE-2020-13663, it impacts Drupal 7, 8, and 9.
“The Drupal core Form API does not properly handle certain form input from cross-site requests, which can lead to other vulnerabilities.” reads the advisory.
The development team also addressed a “less critical” access bypass vulnerability affecting versions 8 and 9.
“JSON:API PATCH requests may bypass validation for certain fields,” reads the advisory for this issue. “By default, JSON:API works in a read-only mode which makes it impossible to exploit the vulnerability. Only sites that have the read_only set to FALSE under jsonapi.settings config are vulnerable.”
(SecurityAffairs – hacking, CMS)