CVE-2020-13664
published 2021-05-05CVE-2020-13664: Arbitrary PHP code execution vulnerability in Drupal Core under certain circumstances. An attacker could trick an administrator into visiting a malicious site…
PriorityP352high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
2.98%
85.6th percentile
Arbitrary PHP code execution vulnerability in Drupal Core under certain circumstances. An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. With this directory in place, an attacker could attempt to brute force a remote code execution vulnerability. Windows servers are most likely to be affected. This issue affects: Drupal Drupal Core 8.8.x versions prior to 8.8.8; 8.9.x versions prior to 8.9.1; 9.0.1 versions prior to 9.0.1.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| drupal | core | >= 8.0.0 < 8.8.8 | 8.8.8 |
| drupal | core | >= 8.8.0 < 8.8.8 | 8.8.8 |
| drupal | core | >= 8.9.0 < 8.9.1 | 8.9.1 |
| drupal | core | >= 9.0.0 < 9.0.1 | 9.0.1 |
| drupal | drupal | >= 8.8.0 < 8.8.8 | 8.8.8 |
| drupal | drupal | >= 8.8.0 < 8.8.8 | 8.8.8 |
| drupal | drupal | >= 8.9.0 < 8.9.1 | 8.9.1 |
| drupal | drupal | >= 8.9.0 < 8.9.1 | 8.9.1 |
| drupal | drupal | >= 9.0.0 < 9.0.1 | 9.0.1 |
| drupal | drupal | >= 9.0.0 < 9.0.1 | 9.0.1 |
| drupal | drupal_core | — | — |
| drupal | drupal_core | >= 8.8.x < 8.8.8 | 8.8.8 |
| drupal | drupal_core | >= 8.9.x < 8.9.1 | 8.9.1 |
| drupal | drupal_core | >= 9.0.1 < 9.0.1 | 9.0.1 |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Drupal Core Arbitrary PHP code execution vulnerability
ghsa·2022-05-24
CVE-2020-13664 [HIGH] CWE-77 Drupal Core Arbitrary PHP code execution vulnerability
Drupal Core Arbitrary PHP code execution vulnerability
Arbitrary PHP code execution vulnerability in Drupal Core under certain circumstances. An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. With this directory in place, an attacker could attempt to brute force a remote code execution vulnerability. Windows servers are most likely to be affected. This issue affects: Drupal Drupal Core 8.8.x versions prior to 8.8.8; 8.9.x versions prior to 8.9.1; 9.0.1 versions prior to 9.0.1.
OSV
Drupal Core Arbitrary PHP code execution vulnerability
osv·2022-05-24
CVE-2020-13664 [HIGH] Drupal Core Arbitrary PHP code execution vulnerability
Drupal Core Arbitrary PHP code execution vulnerability
Arbitrary PHP code execution vulnerability in Drupal Core under certain circumstances. An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. With this directory in place, an attacker could attempt to brute force a remote code execution vulnerability. Windows servers are most likely to be affected. This issue affects: Drupal Drupal Core 8.8.x versions prior to 8.8.8; 8.9.x versions prior to 8.9.1; 9.0.1 versions prior to 9.0.1.
OSV
CVE-2020-13664: Drupal 8 and 9 have a remote code execution vulnerability under certain circumstances
osv·2020-06-17
CVE-2020-13664 CVE-2020-13664: Drupal 8 and 9 have a remote code execution vulnerability under certain circumstances
Drupal 8 and 9 have a remote code execution vulnerability under certain circumstances.
An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. With this directory in place, an attacker could attempt to brute force a remote code execution vulnerability.
Windows servers are most likely to be affected.
Drupal
Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2020-005
vendor_drupal·2020-06-17
CVE-2020-13664 [HIGH] Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2020-005
Title: Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2020-005
Vulnerability Type: Arbitrary PHP code execution
Description: Drupal 8 and 9 have a remote code execution vulnerability under certain circumstances. An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. With this directory in place, an attacker could attempt to brute force a remote code execution vulnerability. Windows servers are most likely to be affected.
Solution: Install the latest version: If you are using Drupal 8.8.x, upgrade to Drupal 8.8.8 . If you are using Drupal 8.9.x, upgrade to Drupal 8.9.1 . If you are using Drupal 9.0.x, upgrade to Drupal 9.0.1 . Versions of Drupal 8 prior to 8.8.x are end-of-life
No detection rules found.
No public exploits indexed.
2021-05-05
Published