⚠ Actively exploited
Added to CISA KEV on 2022-01-18. Federal agencies required to patch by 2022-07-18. Required action: Apply updates per vendor instructions..

CVE-2020-13671Unrestricted File Upload in Drupal

CWE-434Unrestricted File Upload13 documents8 sources
Severity
8.8HIGHNVD
EPSS
4.5%
top 10.86%
CISA KEV
KEV
Added 2022-01-18
Due 2022-07-18
Exploit
Exploited in wild
Active exploitation observed
Affected products
4
DrupalDrupal CoreDrupal Core+1 more
Timeline
PublishedNov 20
KEV addedJan 18
KEV dueJul 18
Latest updateSep 3
CISA Required Action: Apply updates per vendor instructions.

Description

Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0 versions prior to 9.0.8, 8.9 versions prior to 8.9.9, 8.8 versions prior to 8.8.11, and 7 versions prior to 7.74.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

Packagistdrupal/core8.0.08.8.11+3
CVEListV5drupal/drupal_core4 versions+3
NVDdrupal/drupal7.07.74+3
Packagistdrupal/drupal7.0.07.74+3

Also affects: Fedora 32, 33

🔴Vulnerability Details

8
OSV
drupal7 vulnerabilities2024-09-03
OSV
drupal7 vulnerabilities2024-08-27
GHSA
Drupal core Unrestricted Upload of File with Dangerous Type2021-10-12
OSV
Drupal core Unrestricted Upload of File with Dangerous Type2021-10-12
CVEList
CVE-2020-13671: Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and s2020-11-20

📋Vendor Advisories

4
Ubuntu
Drupal vulnerabilities2024-09-03
Ubuntu
Drupal vulnerabilities2024-08-27
CISA
Drupal core Un-restricted Upload of File2022-01-18
Drupal
Drupal core - Critical - Remote code execution - SA-CORE-2020-0122020-11-18
CVE-2020-13671 — Unrestricted File Upload in Drupal | cvebase