CVE-2020-13664

Name of the Vulnerable Software and Affected Versions: Drupal Core versions prior to 8.8.8 Drupal Core versions prior to 8.9.1 Drupal Core version 9.0.1

Description: The issue is related to an arbitrary PHP code execution vulnerability under certain circumstances. An attacker could trick an administrator into visiting a malicious site, resulting in the creation of a carefully named directory on the file system. With this directory in place, an attacker could attempt to brute force a remote code execution vulnerability. This issue is most likely to affect Windows servers. The vulnerability is associated with insufficient authentication of executed requests, which could allow a remote attacker to execute arbitrary code.

Recommendations: For Drupal Core versions prior to 8.8.8, update to version 8.8.8 or later. For Drupal Core versions prior to 8.9.1, update to version 8.9.1 or later. For Drupal Core version 9.0.1, update to a version later than 9.0.1. As a temporary workaround, consider restricting access to the file system to minimize the risk of exploitation.