cbcvebase.
CVE-2020-13671
published 2020-11-20

CVE-2020-13671: Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as…

PriorityP188high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITWRansomware
CISA Known Exploited Vulnerabilitydue 2022-07-18
Exploited in the wild
EPSS
4.27%
89.8th percentile
Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0 versions prior to 9.0.8, 8.9 versions prior to 8.9.9, 8.8 versions prior to 8.8.11, and 7 versions prior to 7.74.

Affected

19 ranges
VendorProductVersion rangeFixed in
drupalcore>= 7.0.0 < 7.747.74
drupalcore>= 8.0.0 < 8.8.118.8.11
drupalcore>= 8.9.0 < 8.9.98.9.9
drupalcore>= 9.0.0 < 9.0.89.0.8
drupaldrupal>= 7.0 < 7.747.74
drupaldrupal>= 7.0.0 < 7.747.74
drupaldrupal>= 8.0.0 < 8.8.118.8.11
drupaldrupal>= 8.8.0 < 8.8.118.8.11
drupaldrupal>= 8.9.0 < 8.9.98.9.9
drupaldrupal>= 8.9.0 < 8.9.98.9.9
drupaldrupal>= 9.0.0 < 9.0.89.0.8
drupaldrupal>= 9.0.0 < 9.0.89.0.8
drupaldrupal_core
drupaldrupal_core
drupaldrupal_core
drupaldrupal_core
drupaldrupal_core
fedoraprojectfedora
fedoraprojectfedora

Detection & IOCsextracted from sources · hover to see the quote

filenamefilename.php.txt
filenamefilename.html.gif
otherphar
otherphp
otherpl
otherpy
othercgi
otherasp
otherjs
otherhtml
otherhtm
otherphtml
  • Hunt for uploaded files containing multiple extensions where a dangerous extension (phar, php, pl, py, cgi, asp, js, html, htm, phtml) precedes one or more additional extensions, and the combined extension string does NOT contain an underscore (_).
  • Audit all previously uploaded files in Drupal's file store for malicious multi-extension filenames, paying special attention to the dangerous extensions list even when followed by one or more additional extensions.
  • Files with these dangerous extensions may be executed as PHP or served with incorrect MIME types depending on hosting configuration — monitor web server logs for unexpected execution of uploaded files.
  • ·Exploitation (PHP execution) is dependent on hosting configuration — not all configurations will execute the malicious file as PHP; impact varies by server setup.
  • ·The dangerous extensions list is explicitly noted as non-exhaustive; other unmunged extensions should be evaluated on a case-by-case basis.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
osv8.8HIGH
vulncheck8.8HIGH
cisa8.8HIGH
vendor_ubuntu8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.