<div dir="ltr"><br><div class="gmail_quote"><br>View online: <a href="https://www.drupal.org/sa-core-2020-005" rel="noreferrer" target="_blank">https://www.drupal.org/sa-core-2020-005</a><br>
<br>
Project: Drupal core [1]<br>
Date: 2020-June-17<br>
Security risk: *Critical* 17∕25<br>
AC:Complex/A:None/CI:All/II:All/E:Theoretical/TD:Uncommon [2]<br>
Vulnerability: Arbitrary PHP code execution<br>
<br>
CVE IDs: CVE-2020-13664<br>
Description: <br>
Drupal 8 and 9 have a remote code execution vulnerability under certain<br>
circumstances.<br>
<br>
An attacker could trick an administrator into visiting a malicious site that<br>
could result in creating a carefully named directory on the file system. With<br>
this directory in place, an attacker could attempt to brute force a remote<br>
code execution vulnerability.<br>
<br>
Windows servers are most likely to be affected.<br>
<br>
Solution: <br>
Install the latest version:<br>
<br>
   * If you are using Drupal 8.8.x, upgrade to Drupal 8.8.8 [3].<br>
   * If you are using Drupal 8.9.x, upgrade to Drupal 8.9.1 [4].<br>
   * If you are using Drupal 9.0.x, upgrade to Drupal 9.0.1 [5].<br>
<br>
Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive<br>
security coverage. Sites on 8.7.x or earlier should update to 8.8.8.<br>
<br>
Reported By: <br>
   * Lorenzo G  [6]<br>
   * Sam Thomas  [7]<br>
<br>
Fixed By: <br>
   * Jess   [8] of the Drupal Security Team<br>
   * Samuel Mortenson  [9] of the Drupal Security Team<br>
   * Peter Wolanin  [10] of the Drupal Security Team<br>
   * Lorenzo G  [11]<br>
   * Lee Rowlands  [12] of the Drupal Security Team<br>
   * Greg Knaddison  [13] of the Drupal Security Team<br>
   * Cash Williams  [14] of the Drupal Security Team<br>
   * Heine  [15] of the Drupal Security Team<br>
   * Drew Webber  [16] of the Drupal Security Team<br>
   * Alex Pott  [17] of the Drupal Security Team<br>
   * Gábor Hojtsy  [18]<br>
<br>
<br>
[1] <a href="https://www.drupal.org/project/drupal" rel="noreferrer" target="_blank">https://www.drupal.org/project/drupal</a><br>
[2] <a href="https://www.drupal.org/security-team/risk-levels" rel="noreferrer" target="_blank">https://www.drupal.org/security-team/risk-levels</a><br>
[3] <a href="https://www.drupal.org/project/drupal/releases/8.8.8" rel="noreferrer" target="_blank">https://www.drupal.org/project/drupal/releases/8.8.8</a><br>
[4] <a href="https://www.drupal.org/project/drupal/releases/8.9.1" rel="noreferrer" target="_blank">https://www.drupal.org/project/drupal/releases/8.9.1</a><br>
[5] <a href="https://www.drupal.org/project/drupal/releases/9.0.1" rel="noreferrer" target="_blank">https://www.drupal.org/project/drupal/releases/9.0.1</a><br>
[6] <a href="https://www.drupal.org/user/3644903" rel="noreferrer" target="_blank">https://www.drupal.org/user/3644903</a><br>
[7] <a href="https://www.drupal.org/user/3603418" rel="noreferrer" target="_blank">https://www.drupal.org/user/3603418</a><br>
[8] <a href="https://www.drupal.org/user/65776" rel="noreferrer" target="_blank">https://www.drupal.org/user/65776</a><br>
[9] <a href="https://www.drupal.org/user/2582268" rel="noreferrer" target="_blank">https://www.drupal.org/user/2582268</a><br>
[10] <a href="https://www.drupal.org/user/49851" rel="noreferrer" target="_blank">https://www.drupal.org/user/49851</a><br>
[11] <a href="https://www.drupal.org/user/3644903" rel="noreferrer" target="_blank">https://www.drupal.org/user/3644903</a><br>
[12] <a href="https://www.drupal.org/user/395439" rel="noreferrer" target="_blank">https://www.drupal.org/user/395439</a><br>
[13] <a href="https://www.drupal.org/user/36762" rel="noreferrer" target="_blank">https://www.drupal.org/user/36762</a><br>
[14] <a href="https://www.drupal.org/user/421070" rel="noreferrer" target="_blank">https://www.drupal.org/user/421070</a><br>
[15] <a href="https://www.drupal.org/user/17943" rel="noreferrer" target="_blank">https://www.drupal.org/user/17943</a><br>
[16] <a href="https://www.drupal.org/user/255969" rel="noreferrer" target="_blank">https://www.drupal.org/user/255969</a><br>
[17] <a href="https://www.drupal.org/user/157725" rel="noreferrer" target="_blank">https://www.drupal.org/user/157725</a><br>
[18] <a href="https://www.drupal.org/user/4166" rel="noreferrer" target="_blank">https://www.drupal.org/user/4166</a><br>
<br>
_______________________________________________<br>
Security-news mailing list<br>
<a href="mailto:Security-news@drupal.org" target="_blank">Security-news@drupal.org</a><br>
Unsubscribe at <a href="https://lists.drupal.org/mailman/listinfo/security-news" rel="noreferrer" target="_blank">https://lists.drupal.org/mailman/listinfo/security-news</a><br>
</div></div>