Drupal fixes three vulnerabilities, including one RCE

Drupal’s security team has fixed three vulnerabilities in the popular content management system’s core, one of which (CVE-2020-13663) could be exploited to achieve remote code execution.


Drupal is a free and open-source web content management system (CMS), and over a million sites run on various versions of it.

The most recent stable version is 9.x, released earlier this month.

About the most recently fixed vulnerabilities

Three security holes have been plugged with the latest versions of Drupal core (9.0.1):

CVE-2020-13664 is the most critical one, but can be only triggered under certain circumstances.

“An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. With this directory in place, an attacker could attempt to brute force a remote code execution vulnerability,” Drupal’s security team explained, and added that Windows servers are most likely to be affected.

CVE-2020-13665 is an access bypass flaw that can be exploited only on sites that have the read_only set to FALSE under jsonapi.settings configuration. (By default, JSON:API works in a read-only mode.)

Both of these flaws affect Drupal versions 8.8.x, 8.9.x and 9.0.x. The third one – CVE-2020-13663 – also affects Drupal 7.x, the most widely used Drupal version (both according to Drupal and W3Techs).

CVE-2020-13663 is a document object model-based cross-site scripting (DOM XSS) vulnerability that was unearthed by Checkmarx researcher Dor Tumarkin.

“This type of XSS attack is achievable if a web application enters data to the DOM without being appropriately sanitized. In this case, an attacker can manipulate their input data to include XSS content on the web page, for example, malicious JavaScript code, which in-turn would be consumed by Drupal Core itself,” the company explained.

“An attacker abusing this vulnerability can take over the administrator role of a Drupal-based website and get full control that allows changing of content, creating malicious links, stealing sensitive or financial data, or whatever else comes to mind.”

What to do?

Admins of Drupal-based sites are advised to upgrade to Drupal v7.72, 8.8.8, 8.9.1 or 9.0.1.

Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage. Drupal v7.x is still maintained and receives security updates, but it will reach end-of-life in November of 2021, so admins that use it are urged to start planning the upgrade to a newer version, preferably 9.x.

Don't miss