CVE-2020-13671
Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension...
Basic Information
- CVE State
- PUBLISHED
- Reserved Date
- May 28, 2020
- Published Date
- November 20, 2020
- Last Updated
- February 07, 2025
- Vendor
- Drupal
- Product
- Drupal Core
- Description
- Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0 versions prior to 9.0.8, 8.9 versions prior to 8.9.9, 8.8 versions prior to 8.8.11, and 7 versions prior to 7.74.
- Tags
- Exploitation
- active
- Technical Impact
- total
- Exploited in the Wild
- Yes (2022-01-18 00:00:00 UTC) Source
drupal
php
cisa
CVSS Scores
CVSS v3.1
8.8 - HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS v2.0
6.5
Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P
SSVC Information
Exploit Status
References
https://www.drupal.org/sa-core-2020-012
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437/
Known Exploited Vulnerability Information
| Source | Added Date |
|---|---|
| CISA | 2022-01-18 00:00:00 UTC |
Timeline
-
CVE ID Reserved
-
CVE Published to Public
-
Added to KEVIntel