HackDig : Dig high-quality web security articles for hackers

Drupal addresses critical code execution vulnerability

2020-06-18 12:28

Drupal released security updates to patch several security issues, including a flaw that could allow an attacker to execute arbitrary PHP code.

Drupal released security updates to address multiple security vulnerabilities, including a “critical” flaw tracked as CVE-2020-13664 that could be exploited by an attacker to execute arbitrary PHP code.

The CVE-2020-13664 flaw affects both versions 8 and 9, but experts pointed out that it could be exploited only in certain circumstances and most likely impacts Windows Servers.

“Drupal 8 and 9 have a remote code execution vulnerability under certain circumstances.” reads the advisory published by Drupal.

“An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. With this directory in place, an attacker could attempt to brute force a remote code execution vulnerability. Windows servers are most likely to be affected.”

Drupal also addressed a critical cross-site request forgery (CSRF) vulnerability tracked as CVE-2020-13663, it impacts Drupal 7, 8, and 9.

“The Drupal core Form API does not properly handle certain form input from cross-site requests, which can lead to other vulnerabilities.” reads the advisory.

The development team also addressed a “less critical” access bypass vulnerability affecting versions 8 and 9.

“JSON:API PATCH requests may bypass validation for certain fields,” reads the advisory for this issue. “By default, JSON:API works in a read-only mode which makes it impossible to exploit the vulnerability. Only sites that have the read_only set to FALSE under jsonapi.settings config are vulnerable.”

Pierluigi Paganini

(SecurityAffairs – hacking, CMS)

The post Drupal addresses critical code execution vulnerability appeared first on Security Affairs.


Source: os_mtu?lmth.eussi-noitucexe-edoc-lacitirc-lapurd/gnikcah/039401/sserpdrow/oc.sriaffaytiruces

Read:562 | Comments:0 | Tags:Breaking News Hacking Security CSRF Drupal hacking news info

“Drupal addresses critical code execution vulnerability”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Tools