CVE-2020-13664

CWE-77Command Injection6 documents5 sources
Severity
8.8HIGH
EPSS
2.0%
top 16.49%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Drupal Drupal CoreDrupal DrupalDrupal Core
Timeline
PublishedMay 5
Latest updateMay 24

Description

Arbitrary PHP code execution vulnerability in Drupal Core under certain circumstances. An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. With this directory in place, an attacker could attempt to brute force a remote code execution vulnerability. Windows servers are most likely to be affected. This issue affects: Drupal Drupal Core 8.8.x versions prior to 8.8.8; 8.9.x versions prior to 8.9.1; 9.0.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

Packagistdrupal/core8.8.08.8.8+3
CVEListV5drupal/drupal_core8.8.x8.8.8+2
NVDdrupal/drupal8.8.08.8.8+2
Packagistdrupal/drupal8.8.08.8.8+2

🔴Vulnerability Details

4
GHSA
Drupal Core Arbitrary PHP code execution vulnerability2022-05-24
OSV
Drupal Core Arbitrary PHP code execution vulnerability2022-05-24
CVEList
CVE-2020-13664: Arbitrary PHP code execution vulnerability in Drupal Core under certain circumstances2021-05-05
OSV
CVE-2020-13664: Drupal 8 and 9 have a remote code execution vulnerability under certain circumstances2020-06-17

📋Vendor Advisories

1
Drupal
Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2020-0052020-06-17
CVE-2020-13664 (HIGH CVSS 8.8) | Arbitrary PHP code execution vulner | cvebase.io