Description

Arbitrary PHP code execution vulnerability in Drupal Core under certain circumstances. An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. With this directory in place, an attacker could attempt to brute force a remote code execution vulnerability. Windows servers are most likely to be affected. This issue affects: Drupal Drupal Core 8.8.x versions prior to 8.8.8; 8.9.x versions prior to 8.9.1; 9.0.1 versions prior to 9.0.1.

Remediation

References

CVE-2020-13664

Related Vulnerabilities

Magento Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2020-9581)

Apache Tomcat Improper Authentication Vulnerability (CVE-2012-5887)

Grafana Missing Authentication for Critical Function Vulnerability (CVE-2022-28660)

WordPress Plugin IMPress for IDX Broker Unspecified Vulnerability (2.5.11)

WordPress Plugin Popup Builder-Responsive WordPress Pop up-Subscription & Newsletter Multiple Vulnerabilities (3.63)

Severity

High

Classification

CVE-2020-13664 CWE-138 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Missing Update Known Vulnerabilities