Four significant vulnerabilities, ranging in severity from somewhat critical to critical, were listed in a security advisory from Drupal. Versions 9.3 and 9.4 of Drupal are vulnerable.
A site and server could be compromised if a hacker is able to run arbitrary code, according to the security advisory, however Drupal said that the version 7 of Drupal is not affected by these flaws.
Additionally, any Drupal versions older than 9.3.x have attained End of Life status, which means they will no longer receive security patches and are therefore dangerous to use.
According to Drupal, an attacker’s ability to issue any commands they want on a server is known as an arbitrary PHP code execution vulnerability.
“…the protections for these two vulnerabilities previously did not work correctly together. As a result, if the site were configured to allow the upload of files with an htaccess extension, these files’ filenames would not be properly sanitized. This could allow bypassing the protections provided by Drupal core’s default .htaccess files and possible remote code execution on Apache web servers.” Drupal said on their advisories.
Apache is the foundation for every other open source web server software, such as PHP and WordPress.
Running a malicious file remotely is referred to as remote code execution, and it allows an attacker to take control of a website or the entire server. The Apache web server software in this particular instance enables the attacker to directly target the web server.