U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Drupal addressed CVE-2020-13671 Remote Code Execution flaw

Drupal development team has released security updates to address a remote code execution flaw, tracked as CVE-2020-13671. The Drupal development team has released security updates to fix a remote code execution vulnerability related caused by the failure to properly sanitize the names of uploaded files. The vulnerability, tracked as CVE-2020-13671, has been classified as critical […]

Drupal PHP code execution

Drupal development team has released security updates to address a remote code execution flaw, tracked as CVE-2020-13671.

The Drupal development team has released security updates to fix a remote code execution vulnerability related caused by the failure to properly sanitize the names of uploaded files.

The vulnerability, tracked as CVE-2020-13671, has been classified as critical according to the NIST Common Misuse Scoring System.

The vulnerability could be exploited by an attacker by uploading files with certain types of extensions (phar, php, pl, py, cgi, html, htm, phtml, js, and asp) to the server to achieve remote code execution.

“Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations.” reads the security advisory published by Drupal.

The development team has addressed the flaw in Drupal 7, 8 and 9 with the release of versions 7.74, 8.8.11, 8.9.9, and 9.0.8.

The vulnerability was reported to team by the following experts:

The development team recommends users to check their servers for files that include more than one extension, such as filename.php.txt or filename.html.gif.

In March, the development team released security updates for versions 8.8.x and 8.7.x that fix two XSS vulnerabilities affecting the CKEditor library.

In May they addressed XSS and open redirect flaws, while in June they released security updates to address multiple security vulnerabilities, including a “critical” flaw tracked as CVE-2020-13664 that could be exploited by an attacker to execute arbitrary PHP code.

In September, Drupal maintainers fixed several information disclosure and cross-site scripting (XSS) vulnerabilities in the popular content management system (CMS).

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Drupal)

[adrotate banner=”5″]

[adrotate banner=”13″]