CVE-2020-13671

Summary

Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0 versions prior to 9.0.8, 8.9 versions prior to 8.9.9, 8.8 versions prior to 8.8.11, and 7 versions prior to 7.74.

Affected Software

VendorProductVersion RangeStatus
DrupalDrupal Core9.0 versions prior to 9.0.8affected
DrupalDrupal Core8.9 versions prior to 8.9.9affected
DrupalDrupal Core8.8 versions prior to 8.8.11affected
DrupalDrupal Core7 versions prior to 7.74affected

Weaknesses

  • Remote code execution

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: active
    • Automatable: no
    • Technical Impact: total

Additional References

References