Arbitrary Code Execution
Affecting drupal/core package, versions >=7.0.0, <7.6.2 || >=8.5.0, <8.5.9 || >=8.6.0, <8.6.6
drupal/core is an open source content management platform powering millions of websites and applications.
Affected versions of this package are vulnerable to Arbitrary Code Execution.
An attacker can perform file operations on an untrusted
phar:// URI because of insufficiently validated user input.
This vulnerability is mitigated by the fact that such code paths typically require access to an administrative permission or an atypical configuration.
drupal/core to version 7.6.2, 8.5.9, 8.6.6 or higher.