On November 25, 2020, Drupal issued
a risk notice for Drupal code execution vulnerabilities, the vulnerability number is CVE-2020-28949/CVE-2020-28948. The vulnerability level is a high risk. Remote attackers can cause arbitrary code execution by uploading specially constructed .tar, .tar.gz, .bz2, and .tlz files.
The PEAR Archive_Tar library is used in the Drupal project to manage files, and the library has security vulnerabilities. If Drupal is configured to allow uploading of .tar, .tar.gz, .bz2, .tlz files and processing them, it may cause code execution.
- Drupal: 9.0
- Drupal: 8.9
- Drupal: 8.8.x
- Drupal: 7
- Drupal: 9.0.9
- Drupal: 8.9.10
- Drupal: 8.8.12
- Drupal: 7.75
In this regard, we recommend that users upgrade Drupal to the latest version in time.
The post CVE-2020-28949, CVE-2020-28948: Drupal Arbitrary PHP Code Execution Vulnerability Alert appeared first on InfoTech News.