CVE-2020-13664

Description

Arbitrary PHP code execution vulnerability in Drupal Core under certain circumstances. An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. With this directory in place, an attacker could attempt to brute force a remote code execution vulnerability. Windows servers are most likely to be affected. This issue affects: Drupal Drupal Core 8.8.x versions prior to 8.8.8; 8.9.x versions prior to 8.9.1; 9.0.1 versions prior to 9.0.1.

How to fix CVE-2020-13664

To remediate CVE-2020-13664, upgrade the affected package to a fixed version below.

• —upgrade to 8.8.8 or later
• —upgrade to 8.8.8 or later
• —upgrade to 8.8.8 or later
• —upgrade to 8.8.8 or later

Is CVE-2020-13664 being exploited?

Low — EPSS is 2.0%, meaning exploitation activity has not been observed at scale.

Affected packages (4)

• >= 8.8.0, < 8.8.8, >= 8.9.0, < 8.9.1, >= 9.0.0, < 9.0.1
• >= 8.0.0, < 8.8.8 | >= 8.9.0, < 8.9.1 | >= 9.0.0, < 9.0.1
• >= 8.8.0, < 8.8.8
• >= 8.8.0, < 8.8.8

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-13664
• PATCHgithub.com/drupal/core
• WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2020-13664.yaml
• WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2020-13664.yaml