← Back to CVEs
CVE-2020-13671
HIGHCISA KEV8.8
Description
Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0 versions prior to 9.0.8, 8.9 versions prior to 8.9.9, 8.8 versions prior to 8.8.11, and 7 versions prior to 7.74.
CVE Details
CVSS v3.1 Score8.8
SeverityHIGH
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack VectorNETWORK
ComplexityLOW
Privileges RequiredLOW
User InteractionNONE
Published11/20/2020
Last Modified11/3/2025
Sourcekev
Honeypot Sightings0
CISA KEV
VendorDrupal
ProductDrupal core
Vulnerability NameDrupal core Un-restricted Upload of File
KEV Date Added2022-01-18
Remediation Due Date2022-07-18
Ransomware UseUnknown
Affected Products
drupal:drupalfedoraproject:fedora
Weaknesses (CWE)
CWE-434CWE-434
References
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437/(mlhess@drupal.org)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT/(mlhess@drupal.org)
https://www.drupal.org/sa-core-2020-012(mlhess@drupal.org)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437/(af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT/(af854a3a-2127-422b-91ae-364da2661108)
https://www.drupal.org/sa-core-2020-012(af854a3a-2127-422b-91ae-364da2661108)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-13671(134c704f-9b21-4f2e-91b3-4a467353bcc0)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.