The vulnerability, tracked as CVE-2020-13671, has been classified as critical according to NIST Common Misuse Scoring System. The vulnerability could be exploited by an attacker by uploading files with certain extensions (phar,php, pl, py, cgi, html, htm, phtml, js, and asp) to the server to achieve remote code execution. The development team has addressed the flaw in Drupal 7, 8 and 9 with the release of versions 7.74, 8.8.11,.8.9, and 9.0.0.”]
Source: https://securityaffairs.co/wordpress/111177/security/drupal-remote-code-execution.html