Drupal has released an emergency fix for critical flaws with known exploits that could be exploited to enable arbitrary PHP code executions on some selective CMS versions.
The Drupal project utilizes the PEAR Archive_Tar library that was recently updated to address the CVE-2020-28948 and CVE-2020-28949.
As a result, several vulnerabilities affect the installation of Drupal while they are configured to enable .tar, .tar.gz, .bz2, or .tlz file uploads and process them.
The advisory published by CISA states that Drupal has released security updates for addressing vulnerabilities in Drupal 7, 8.8 and earlier, 8.9, and 9.0. An attacker could exploit this vulnerability to take control of the system which has been affected by this vulnerability.
To address the issues, Drupal released the following updates:
- Drupal 9.0 users should update to Drupal 9.0.9
- Drupal 8.9 users should update to Drupal 8.9.10
- Drupal 8.8 or earlier users should update to Drupal 8.8.12
- Drupal 7 users should update to Drupal 7.75
Drupal security team further added that versions of Drupal 8 before 8.8.x are end-of-life and won’t receive a security update.
The team also suggests minimizing this issue by restricting unauthenticated users from uploading .tar, .tar.gz, .bz2, or .tlz files.
Currently, around 944,000 websites are utilizing the vulnerable Drupal versions out of a total of 1,120,941 websites as per the official stats stated on their website.
Drupal is the fourth most popular CMS on the Internet after WordPress, Shopify and Joomla.
Are you looking for more security updates? Subscribe to our newsletter for the latest security news right from the security and research industries.