Drupal has released a security update that fixes two Critical arbitrary PHP code execution vulnerabilities in multiple versions of Drupal.
A remote attacker could exploit these vulnerabilities to compromise an affected system.
The Drupal update SA-CORE-2020-013 patches two Critical arbitrary PHP code execution vulnerabilities CVE-2020-28949 and CVE-2020-28948 that affect Drupal 7, 8.8 and earlier, 8.9 and and 9.0.
The vulnerabilities were discovered in the Archive_Tar PHP module, used by Drupal. As a result, a bad actor could execute arbitrary code if allowed to upload tar archives.
“To mitigate this issue, prevent untrusted users from uploading .tar, .tar.gz, .bz2, or .tlz files,” Drupal wrote in the advisory.
Moreover, Drupal said this latest update addresses a different issue than a remote code execution vulnerability CVE-2020-13671 patched last week.