CVE-2020-13671

Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0 versions prior to 9.0.8, 8.9 versions prior to 8.9.9, 8.8 versions prior to 8.8.11, and 7 versions prior to 7.74.

Published: Nov 20, 2020
Updated: Nov 8, 2023
CVE: CVE-2020-13671
GHSA: GHSA-68jc-v27h-vhmw
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.8
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: Medium
Score: 6.5
AV:N/AC:L/Au:S/C:P/I:P/A:P

CWEs:

CWE-434

Affected Software
References

Software	From	Fixed in
drupal / drupal	8.8	8.8.11
drupal / drupal	8.9	8.9.9
drupal / drupal	9.0	9.0.8
drupal / drupal	7.0	7.74
fedoraproject / fedora	32	32.x
fedoraproject / fedora	33	33.x
drupal / core	9.0.0	9.0.8
drupal / core	8.9.0	8.9.9
drupal / core	8.0.0	8.8.11
drupal / core	7.0	7.74

https://lists.fedoraproject.org/archives/list/[email protected]/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437/
https://lists.fedoraproject.org/archives/list/[email protected]/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT/
https://www.drupal.org/sa-core-2020-012

Vulnerability Database

289,599

CVE-2020-13671