As part of our ongoing mission to help organizations develop and deploy more secure software and applications, and in light of Checkmarx’s expanded insight into the open source security landscape with its recently launched SCA solution, the Checkmarx Security Research Team analyzed Drupal, an open source content management system (CMS) and one of the top 10 most used PHP resources (frameworks, libraries, etc.) used by our customers. Over one million websites run on Drupal, including enterprise and government sites worldwide. Drupal just recently released two major versions, which piqued our researchers’ interest. Once the team got to work on the two latest versions of Drupal, they quickly found that both versions were vulnerable to being exploited. Later, it is was confirmed by Drupal that every maintained version of Drupal (7.x, 8.8.x, 8.9.x) were easily exploitable by the same techniques. These issues were discovered by Dor Tumarkin of the Checkmarx Security Research Team. Drupal acknowledged and patched the vulnerability, assigning it CVE-2020-13663. More information can be found below and on their security advisories page.
What is the Risk?An attacker abusing this vulnerability can take over the administrator role of a Drupal-based website and get full control that allows changing of content, creating malicious links, stealing sensitive or financial data, or whatever else comes to mind.
Drupal Assigns CVE-2020-13663Drupal labeled the Security Risk of this vulnerability our team discovered as follows:
- Risk: Critical
- Access Complexity: Complex
- Authentication: All/Anonymous Users
- Confidentiality Impact: Certain Non-Public Data is Released
- Integrity Impact: Some Data Can be Modified
- Exploit (Zero-day Impact): Theoretical or White-hat (no public exploit code or documentation on development exists)
- Target Distribution: All Module Configurations are Exploitable