Drupal has released security updates to address Critical cross site request forgery (CSRF) and Arbitrary PHP code execution vulnerabilities affecting multiple versions of Drupal.
A remote attacker could exploit these vulnerabilities to compromise an affected system.
In the first security advisory SA-CORE-2020-004, Drupal patched one Critical CSRF vulnerability CVE-2020-13663.
This issues exists when Drupal core Form API does not properly handle certain form input from cross-site requests, which can also lead to other vulnerabilities.
In the second advisory SA-CORE-2020-005, Drupal patched an Arbitrary PHP code execution vulnerability CVE-2020-13664 that affects Drupal 8 and 9 versions.
“An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. With this directory in place, an attacker could attempt to brute force a remote code execution vulnerability,” Drupal explained in the advisory.
Finally, Drupal also said all Windows servers are likely affected.