Security Experts:

Drupal Patches Code Execution Flaw Most Likely to Impact Windows Servers

Updates released this week by Drupal patch several vulnerabilities, including a flaw that could allow an attacker to execute arbitrary PHP code.

The code execution vulnerability, tracked as CVE-2020-13664, can be exploited against Drupal 8 and 9 installations, but only in certain circumstances. According to Drupal developers, the issue is most likely to affect Windows servers.

“An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. With this directory in place, an attacker could attempt to brute force a remote code execution vulnerability,” reads an advisory published on Wednesday for the flaw.

The security hole has been assigned a “critical” security risk rating, but it’s worth noting that Drupal uses the NIST Common Misuse Scoring System, which assigns a score ranging between 0 and 25, with “critical” being only the second highest rating, after “highly critical.”

Another “critical” vulnerability patched this week is CVE-2020-13663, which affects Drupal 7, 8 and 9. An attacker can exploit the flaw for cross-site request forgery (CSRF) attacks.

“The Drupal core Form API does not properly handle certain form input from cross-site requests, which can lead to other vulnerabilities,” Drupal developers explained.

Lastly, Drupal patched a “less critical” — this is the second lowest risk rating — access bypass vulnerability affecting versions 8 and 9.

“JSON:API PATCH requests may bypass validation for certain fields,” reads the advisory for this issue. “By default, JSON:API works in a read-only mode which makes it impossible to exploit the vulnerability. Only sites that have the read_only set to FALSE under jsonapi.settings config are vulnerable.”

Related: Drupal Updates CKEditor to Patch XSS Vulnerabilities

Related: XSS, Open Redirect Vulnerabilities Patched in Drupal

Related: Vulnerability Related to Processing of Archive Files Patched in Drupal

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.