← Back

CVE-2020-13671

nvd nist
Published: Nov 20, 2020Modified: Jun 17, 2026CISA KEV

JSON object

Loading...
8.8
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Exploitability: 2.8 / Impact: 5.9
Source: NVD

Description

Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0 versions prior to 9.0.8, 8.9 versions prior to 8.9.9, 8.8 versions prior to 8.8.11, and 7 versions prior to 7.74.

Affected (6)

Drupal
1 product
Drupal
Fedoraproject
1 product
Fedora
Configuration A
4 vulnerable
Vulnerable SoftwareAffected Versions
Drupal
Drupal
From 7.0 to 7.74
Drupal
From 8.8.0 to 8.8.11
Drupal
From 8.9.0 to 8.9.9
Drupal
From 9.0.0 to 9.0.8
Configuration B
2 vulnerable
Vulnerable SoftwareAffected Versions
Fedoraproject
Fedora
Version 32
Fedora
Version 33

Related CWEs

CWE-434
Unrestricted Upload of File with Dangerous Type
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

References (7)

Source: mlhess@drupal.org
Mailing ListRelease Notes
Source: mlhess@drupal.org
Mailing ListRelease Notes
Source: mlhess@drupal.org
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing ListRelease Notes
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing ListRelease Notes
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
US Government Resource

Timeline

No history available yet.