Updates released this week by Drupal patch several vulnerabilities, including a flaw that could allow an attacker to execute arbitrary PHP code.
The code execution vulnerability, tracked as CVE-2020-13664, can be exploited against Drupal 8 and 9 installations, but only in certain circumstances. According to Drupal developers, the issue is most likely to affect Windows servers.
“An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. With this directory in place, an attacker could attempt to brute force a remote code execution vulnerability,” reads an advisory published on Wednesday for the flaw.
The security hole has been assigned a “critical” security risk rating, but it’s worth noting that Drupal uses the NIST Common Misuse Scoring System, which assigns a score ranging between 0 and 25, with “critical” being only the second highest rating, after “highly critical.”
Another “critical” vulnerability patched this week is CVE-2020-13663, which affects Drupal 7, 8 and 9. An attacker can exploit the flaw for cross-site request forgery (CSRF) attacks.
“The Drupal core Form API does not properly handle certain form input from cross-site requests, which can lead to other vulnerabilities,” Drupal developers explained.
Lastly, Drupal patched a “less critical” — this is the second lowest risk rating — access bypass vulnerability affecting versions 8 and 9.
“JSON:API PATCH requests may bypass validation for certain fields,” reads the advisory for this issue. “By default, JSON:API works in a read-only mode which makes it impossible to exploit the vulnerability. Only sites that have the read_only set to FALSE under jsonapi.settings config are vulnerable.”