Fluid Attacks Database

Description

Drupal Core Arbitrary PHP code execution vulnerability Arbitrary PHP code execution vulnerability in Drupal Core under certain circumstances. An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. With this directory in place, an attacker could attempt to brute force a remote code execution vulnerability. Windows servers are most likely to be affected. This issue affects: Drupal Drupal Core 8.8.x versions prior to 8.8.8; 8.9.x versions prior to 8.9.1; 9.0.1 versions prior to 9.0.1.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
packagist	drupal/core	>=8.8.0 <8.8.8 \|\| >=8.9.0 <8.9.1 \|\| >=9.0.0 <9.0.1	8.8.8, 8.9.1, 9.0.1
packagist	drupal/drupal	>=8.8.0 <8.8.8 \|\| >=8.9.0 <8.9.1 \|\| >=9.0.0 <9.0.1	8.8.8, 8.9.1, 9.0.1
packagist	drupal/core-recommended	>=8.8.0 <8.8.8 \|\| >=8.9.0 <8.9.1 \|\| >=9.0.0 <9.0.1	8.8.8, 8.9.1, 9.0.1

Aliases

1. CVE-2020-136642. NVD-2020-136643. OSV-2020-136644. GCVE-2020-13664

References

1. https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2020-13664.yaml2. https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2020-13664.yaml3. https://www.drupal.org/sa-core-2020-005