Arbitrary Command Injection The advisory has been revoked - it doesn't affect any version of package drupal7  (opens in a new tab)


Threat Intelligence

EPSS
1.96% (83rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Arbitrary Command Injection vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-DEBIAN9-DRUPAL7-600220
  • published19 Aug 2020
  • disclosed5 May 2021

Introduced: 19 Aug 2020

CVE-2020-13664  (opens in a new tab)
CWE-77  (opens in a new tab)

Amendment

The Debian security team deemed this advisory irrelevant for Debian:9.

NVD Description

Note: Versions mentioned in the description apply only to the upstream drupal7 package and not the drupal7 package as distributed by Debian.

Arbitrary PHP code execution vulnerability in Drupal Core under certain circumstances. An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. With this directory in place, an attacker could attempt to brute force a remote code execution vulnerability. Windows servers are most likely to be affected. This issue affects: Drupal Drupal Core 8.8.x versions prior to 8.8.8; 8.9.x versions prior to 8.9.1; 9.0.1 versions prior to 9.0.1.