Vulnerability detail
Enriched intelligence for a single CVE
High
CVE-2020-13671
PUBLISHEDDrupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension...
- Vendor
- Drupal
- Product
- Drupal Core
- Published
- Nov 20, 2020
- EPSS
- —
Description
Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0 versions prior to 9.0.8, 8.9 versions prior to 8.9.9, 8.8 versions prior to 8.8.11, and 7 versions prior to 7.74.
CVSS scores
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AV:N/AC:L/Au:S/C:P/I:P/A:P
Exploitation status
Exploited in the wild
Recorded 2022-01-18 00:00:00 UTC · Source
SSVC decision points
- Exploitation
- active
- Automatable
- No
- Technical impact
- total
References
- https://www.drupal.org/sa-core-2020-012
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437/
Known exploited vulnerability sources
Catalogues that list this CVE as a known exploited vulnerability.
| Source | Added |
|---|---|
| CISA | Jan 18, 2022 |
Timeline
-
CVE ID Reserved
-
CVE Published to Public
-
Added to KEVIntel