CVE-2020-28949, CVE-2020-28948: Drupal Arbitrary PHP Code Execution Vulnerability Alert

Comments Off on CVE-2020-28949, CVE-2020-28948: Drupal Arbitrary PHP Code Execution Vulnerability Alert
Drupal Remote Code Execution

On November 25, 2020, Drupal issued a risk notice for Drupal code execution vulnerabilities, the vulnerability number is CVE-2020-28949/CVE-2020-28948. The vulnerability level is a high risk. Remote attackers can cause arbitrary code execution by uploading specially constructed .tar, .tar.gz, .bz2, and .tlz files.

Vulnerability Detail

The PEAR Archive_Tar library is used in the Drupal project to manage files, and the library has security vulnerabilities. If Drupal is configured to allow uploading of .tar, .tar.gz, .bz2, .tlz files and processing them, it may cause code execution.

Affected version

  • Drupal: 9.0
  • Drupal: 8.9
  • Drupal: 8.8.x
  • Drupal: 7

Unaffected version

  • Drupal: 9.0.9
  • Drupal: 8.9.10
  • Drupal: 8.8.12
  • Drupal: 7.75

Solution

In this regard, we recommend that users upgrade Drupal to the latest version in time.

 

The post CVE-2020-28949, CVE-2020-28948: Drupal Arbitrary PHP Code Execution Vulnerability Alert appeared first on InfoTech News.

Related Articles

ABOUT US

Haxf4rall is a collective, a good starting point and provides a variety of quality material for cyber security professionals.

Our primary focus revolves around the latest tools released in the Infosec community and provide a platform for developers to showcase their skillset and current projects.

COMPANY
Live Chat
RESOURCES
Get Started
TOOLBOX
Tools Directory

2014 – 2020 | Haxf4rall.com               Stay Connected:

Facebook
Twitter
Google-plus
Wordpress