From securityweek.com
Updates released on Wednesday for the Drupal content management system (CMS) patch a remote code execution vulnerability related to failure to properly sanitize the names of uploaded files.
The vulnerability, tracked as CVE-2020-13671, has been classified as critical, but it’s worth mentioning that Drupal uses the NIST Common Misuse Scoring System, which assigns vulnerabilities a score ranging between 0 and 25, with “critical” being only the second highest rating, after “highly critical.”
An attacker who can upload files to a server can use certain types of extensions to bypass restrictions and get malicious code executed.