Drupal patches two critical security vulnerabilities

Drupal patches two critical security vulnerabilities

Drupal has released security updates to address Critical cross site request forgery (CSRF) and Arbitrary PHP code execution vulnerabilities affecting multiple versions of Drupal.

A remote attacker could exploit these vulnerabilities to compromise an affected system.

In the first security advisory SA-CORE-2020-004, Drupal patched one Critical CSRF vulnerability CVE-2020-13663.

This issues exists when Drupal core Form API does not properly handle certain form input from cross-site requests, which can also lead to other vulnerabilities.

In the second advisory SA-CORE-2020-005, Drupal patched an Arbitrary PHP code execution vulnerability CVE-2020-13664 that affects Drupal 8 and 9 versions.

“An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. With this directory in place, an attacker could attempt to brute force a remote code execution vulnerability,” Drupal explained in the advisory.

Finally, Drupal also said all Windows servers are likely affected.

Related Articles