Drupal has released updated versions (7.72, 8.8.8, 8.9.1 and 9.0.1) of its CMS software to patch 3 critical vulnerabilities:
CSRF (CVE-2020-13663)
The Drupal core Form API does not properly handle certain form input from cross-site requests, which can lead to other vulnerabilities.
Recommended actions:
Install the latest version:
- If you are using Drupal 7.x, upgrade to Drupal 7.72.
- If you are using Drupal 8.8.x, upgrade to Drupal 8.8.8.
- If you are using Drupal 8.9.x, upgrade to Drupal 8.9.1.
- If you are using Drupal 9.0.x, upgrade to Drupal 9.0.1.
- Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage. Sites on 8.7.x or earlier should update to 8.8.8.
You can find more information regarding this vulnerability and the mitigation steps in Drupal Security advisories
RCE (CVE-2020-13664)
Drupal 8 and 9 have a remote code execution vulnerability under certain circumstances.
An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. With this directory in place, an attacker could attempt to brute force a remote code execution vulnerability.
Windows servers are most likely to be affected.
Recommended actions:
Install the latest version:
- If you are using Drupal 8.8.x, upgrade to Drupal 8.8.8.
- If you are using Drupal 8.9.x, upgrade to Drupal 8.9.1.
- If you are using Drupal 9.0.x, upgrade to Drupal 9.0.1.
- Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage. Sites on 8.7.x or earlier should update to 8.8.8.
You can find more information regarding this vulnerability and the mitigation steps in Drupal Security advisories
Access bypass (CVE-2020-13665)
JSON:API PATCH requests may bypass validation for certain fields.
By default, JSON:API works in a read-only mode which makes it impossible to exploit the vulnerability. Only sites that have the read_only set to FALSE under jsonapi.settings config are vulnerable.
Recommended actions:
Install the latest version:
- If you are using Drupal 8.8.x, upgrade to Drupal 8.8.8.
- If you are using Drupal 8.9.x, upgrade to Drupal 8.9.1.
- If you are using Drupal 9.0.x, upgrade to Drupal 9.0.1.
- Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage. Sites on 8.7.x or earlier should update to 8.8.8.
You can find more information regarding this vulnerability and the mitigation steps in Drupal Security advisories