Updates released this week by Drupal patch several vulnerabilities, including a flaw that could allow an attacker to execute arbitrary PHP code.
The code execution vulnerability, tracked as CVE-2020-13664, can be exploited against Drupal 8 and 9 installations, but only in certain circumstances. According to Drupal developers, the issue is most likely to affect Windows servers.
“An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. With this directory in place, an attacker could attempt to brute force a remote code execution vulnerability,” reads an advisory published on Wednesday for the flaw.
The security hole has been assigned a “critical” security risk rating, but it’s worth noting that Drupal uses the NIST Common Misuse Scoring System, which assigns a score ranging between 0 and 25, with “critical” being only the second highest rating, after “highly critical.”
Another “critical” vulnerability patched this week is CVE-2020-13663, which affects Drupal 7, 8 and 9. An attacker can exploit the flaw for cross-site request forgery (CSRF) attacks.
“The Drupal core Form API does not properly handle certain form input from cross-site requests, which can lead to other vulnerabilities,” Drupal developers explained.
Lastly, Drupal patched a “less critical” — this is the second lowest risk rating — access bypass vulnerability affecting versions 8 and 9.
“JSON:API PATCH requests may bypass validation for certain fields,” reads the advisory for this issue. “By default, JSON:API works in a read-only mode which makes it impossible to exploit the vulnerability. Only sites that have the read_only set to FALSE under jsonapi.settings config are vulnerable.”
Related: Drupal Updates CKEditor to Patch XSS Vulnerabilities
Related: XSS, Open Redirect Vulnerabilities Patched in Drupal
Related: Vulnerability Related to Processing of Archive Files Patched in Drupal

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- CISA Warns of Old JBoss RichFaces Vulnerability Being Exploited in Attacks
- NIST Publishes Final Version of 800-82r3 OT Security Guide
- Johnson Controls Hit by Ransomware
- Verisoul Raises $3.25 Million in Seed Funding to Detect Fake Users
- Government Shutdown Could Bench 80% of CISA Staff
- Google Rushes to Patch New Zero-Day Exploited by Spyware Vendor
- macOS 14 Sonoma Patches 60 Vulnerabilities
- New GPU Side-Channel Attack Allows Malicious Websites to Steal Data
Latest News
- Bankrupt IronNet Shuts Down Operations
- AWS Using MadPot Decoy System to Disrupt APTs, Botnets
- Generative AI Startup Nexusflow Raises $10.6 Million
- In Other News: RSA Encryption Attack, Meta AI Privacy, ShinyHunters Hacker Guilty Plea
- Researchers Extract Sounds From Still Images on Smartphone Cameras
- National Security Agency is Starting an Artificial Intelligence Security Center
- CISA Warns of Old JBoss RichFaces Vulnerability Being Exploited in Attacks
- Hackers Set Sights on Apache NiFi Flaw That Exposes Many Organizations to Attacks
