New Delhi, Nov 22 : Drupal, which is currently the fourth most used content management service (CMS) platform on Internet after WordPress, Shopify and Joomla, has fixed a critical bug that could allow hackers to gain full access over vulnerable websites.
The Drupal team this week released security updates to patch the critical vulnerability, reports ZDNet.
Tracked as CVE-2020-13671, the vulnerability is easy to exploit and relies on “double extension” trick.
“Attackers can add a second extension to a malicious file, upload it on a Drupal site through open upload fields, and have the malicious executed,” the report said on Saturday.
The Drupal team said the vulnerability the CMS does not sanitise “certain” file names, allowing some malicious files to slip through.
This can lead to “files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations”.
Related stories
Subscribe
- Never miss a story with notifications
- Gain full access to our premium content
- Browse free from up to 5 devices at once
Latest stories