Remote Code Execution Vulnerability Patched in Drupal


Updates released on Wednesday for the Drupal content management system (CMS) patch a remote code execution vulnerability related to failure to properly sanitize the names of uploaded files.

The vulnerability, tracked as CVE-2020-13671, has been classified as critical, but it’s worth mentioning that Drupal uses the NIST Common Misuse Scoring System, which assigns vulnerabilities a score ranging between 0 and 25, with “critical” being only the second highest rating, after “highly critical.”

An attacker who can upload files to a server can use certain types of extensions to bypass restrictions and get malicious code executed.

Read more…