CVE-2020-13671
Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension...
Basic Information
- CVE State
- PUBLISHED
- Reserved Date
- May 28, 2020
- Published Date
- November 20, 2020
- Last Updated
- February 07, 2025
- Vendor
- Drupal
- Product
- Drupal Core
- Description
- Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0 versions prior to 9.0.8, 8.9 versions prior to 8.9.9, 8.8 versions prior to 8.8.11, and 7 versions prior to 7.74.
CVSS Scores
SSVC Information
- Exploitation
- active
- Technical Impact
- total
Exploit Status
- Exploited in the Wild
- Yes (added 2022-01-18 00:00:00 UTC) Source
References
https://www.drupal.org/sa-core-2020-012
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437/
Known Exploited Vulnerability Information
| Source | Added Date |
|---|---|
| CISA | 2022-01-18 00:00:00 UTC |