Drupal 8 and 9 core - Critical - Arbitrary PHP code execution - SA-CORE-2020-005
Project: Drupal core Date: 2020-June-17 Security risk: Critical 17∕25 Vulnerability: Arbitrary PHP code execution CVE IDs: CVE-2020-13664
Drupal 8 and 9 have a remote code execution vulnerability under certain circumstances.
An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. With this directory in place, an attacker could attempt to brute force a remote code execution vulnerability.
Windows servers are most likely to be affected.
Install the latest version:
Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage. Sites on 8.7.x or earlier should update to 8.8.8.