Security advisories: Drupal core – Critical – Arbitrary PHP code execution – SA-CORE-2020-005

Project: 
Date: 
2020-June-17
Vulnerability: 
Arbitrary PHP code execution
CVE IDs: 
CVE-2020-13664
Description: 

Drupal 8 and 9 have a remote code execution vulnerability under certain circumstances.

An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. With this directory in place, an attacker could attempt to brute force a remote code execution vulnerability.

Windows servers are most likely to be affected.

Solution: 

Install the latest version:

Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage. Sites on 8.7.x or earlier should update to 8.8.8.

Reported By: 
Fixed By: