The Drupal development team has released security updates to fix a remote code execution vulnerability related caused by the failure to properly sanitize the names of uploaded files.
The vulnerability, tracked as CVE-2020-13671, has been classified as critical according to the NIST Common Misuse Scoring System.
The vulnerability could be exploited by an attacker by uploading files with certain types of extensions (phar, php, pl, py, cgi, html, htm, phtml, js, and asp) to the server to achieve remote code execution.
“Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations.” reads the security advisory published by Drupal.
The development team has addressed the flaw in Drupal 7, 8 and 9 with the release of versions 7.74, 8.8.11, 8.9.9, and 9.0.8.
The vulnerability was reported to team by the following experts:
The development team recommends users to check their servers for files that include more than one extension, such as filename.php.txt or filename.html.gif.
In March, the development team released security updates for versions 8.8.x and 8.7.x that fix two XSS vulnerabilities affecting the CKEditor library.
In May they addressed XSS and open redirect flaws, while in June they released security updates to address multiple security vulnerabilities, including a “critical” flaw tracked as CVE-2020-13664 that could be exploited by an attacker to execute arbitrary PHP code.
In September, Drupal maintainers fixed several information disclosure and cross-site scripting (XSS) vulnerabilities in the popular content management system (CMS).
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, Drupal)
[adrotate banner=”5″]
[adrotate banner=”13″]
BlackBerry reported that the financially motivated group FIN7 targeted the IT department of a large…
An international law enforcement operation led to the disruption of the prominent phishing-as-a-service platform LabHost.…
Russia-linked APT Sandworm employed a previously undocumented backdoor called Kapeka in attacks against Eastern Europe since…
Cisco has addressed a high-severity vulnerability in its Integrated Management Controller (IMC) for which publicly…
Threat actors are exploiting the CVE-2023-22518 flaw in Atlassian servers to deploy a Linux variant of…
Ivanti addressed two critical vulnerabilities in its Avalanche mobile device management (MDM) solution, that can…
This website uses cookies.