Arbitrary PHP Code Execution Vulnerability in Drupal Core by Drupal
CVE-2020-13664

8.8HIGH

Key Information:

Vendor: Drupal
Status: Drupal Core
Vendor: CVE Published:; 5 May 2021

Summary

This vulnerability in Drupal Core allows for arbitrary PHP code execution under specific conditions. An attacker may deceive an administrator into visiting a malicious page, resulting in the creation of a specially named directory on the server's filesystem. This directory could potentially be exploited to brute-force a remote code execution vector, affecting primarily Windows server configurations. Multiple versions of Drupal Core prior to certain updates are susceptible to this security issue, highlighting the importance of timely patches and secure practices.

Affected Version(s)

Drupal Core 8.8.x < 8.8.8

Drupal Core 8.9.x < 8.9.1

Drupal Core 9.0.1

References

https://www.drupal.org/sa-core-2020-005

x_refsource_CONFIRM

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
May 5, 2021
Vulnerability Reserved
May 28, 2020