Critical Flaws Discovered in Drupal CMS
NJCCIC Advisory
Original Release Date: 6/26/2020
Summary
Three vulnerabilities, two deemed critical, have been identified in the open source content management system (CMS), Drupal. Considered the most critical of the three, CVE-2020-13664 is a remote code execution vulnerability affecting Drupal versions 8 and 9; however, execution of the vulnerability would only be possible under specific conditions involving user interaction. The second critical flaw, CVE-2020-13663 , affects Drupal 7, 8, and 9, and is a document object model-based cross-site scripting (DOM XSS) vulnerability that may allow an attacker to manipulate web page content for malicious intent. Lastly, CVE-2020-13665 is an access bypass vulnerability only affecting websites that are configured to have the “read_only” set to “False” under jsonapi.settings and using Drupal 8 and 9.
Recommendations
The NJCCIC recommends Drupal users upgrade to Drupal versions 7.72, 8.8.8, 8.9.1, or 9.0.1 respectively. Drupal versions 8 prior to 8.8.x are end-of-life; therefore, administrators are encouraged to upgrade to a supported version. Further details can be found in the HelpNet Security article.
The NJCCIC is a component organization within the New Jersey Office of Homeland Security and Preparedness. We are the State's one-stop-shop for cyber threat analysis, incident reporting, and information sharing and are committed to making New Jersey more resilient to cyber threats by spreading awareness and promoting the adoption of best practices.
View our Privacy Policy here.
View our Site Index here.