Drupal has released a security advisory to address a vulnerability of improper sanitisation of filenames on uploaded files in Drupal Core. A remote attacker may upload a malicious file with specially crafted filename to exploit the vulnerability.
Please note that Drupal 8 prior to version 8.8.x has reached its End-Of-Life (EOL). No security updates will be provided after that. Users should arrange upgrading the Drupal to supported versions or migrating to other supported technology.
A successful attack could lead to remote code execution on an affected system.
The product vendor has released patches to address the issues.
https://www.drupal.org/sa-core-2020-012
https://www.drupal.org/core/release-cycle-overview
https://www.hkcert.org/my_url/en/alert/20111903
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13671