← Retour aux CVEs
CVE-2020-13671
HIGHCISA KEV8.8
Description
Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0 versions prior to 9.0.8, 8.9 versions prior to 8.9.9, 8.8 versions prior to 8.8.11, and 7 versions prior to 7.74.
Details CVE
Score CVSS v3.18.8
SeveriteHIGH
Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Vecteur d'attaqueNETWORK
ComplexiteLOW
Privileges requisLOW
Interaction utilisateurNONE
Publie11/20/2020
Derniere modification11/3/2025
Sourcekev
Observations honeypot0
CISA KEV
FournisseurDrupal
ProduitDrupal core
Nom vulnerabiliteDrupal core Un-restricted Upload of File
Date ajout KEV2022-01-18
Date limite remediation2022-07-18
Utilise dans ransomwareUnknown
Produits affectes
drupal:drupalfedoraproject:fedora
Faiblesses (CWE)
CWE-434CWE-434
References
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437/(mlhess@drupal.org)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT/(mlhess@drupal.org)
https://www.drupal.org/sa-core-2020-012(mlhess@drupal.org)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437/(af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT/(af854a3a-2127-422b-91ae-364da2661108)
https://www.drupal.org/sa-core-2020-012(af854a3a-2127-422b-91ae-364da2661108)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-13671(134c704f-9b21-4f2e-91b3-4a467353bcc0)
Correlations IOC
Aucune correlation enregistree
This product uses data from the NVD API but is not endorsed or certified by the NVD.