CVE-2020-13671
published 2020-11-20CVE-2020-13671: Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as…
PriorityP188high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITWRansomware
CISA Known Exploited Vulnerabilitydue 2022-07-18
Exploited in the wild
EPSS
4.27%
89.8th percentile
Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0 versions prior to 9.0.8, 8.9 versions prior to 8.9.9, 8.8 versions prior to 8.8.11, and 7 versions prior to 7.74.
Affected
19 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| drupal | core | >= 7.0.0 < 7.74 | 7.74 |
| drupal | core | >= 8.0.0 < 8.8.11 | 8.8.11 |
| drupal | core | >= 8.9.0 < 8.9.9 | 8.9.9 |
| drupal | core | >= 9.0.0 < 9.0.8 | 9.0.8 |
| drupal | drupal | >= 7.0 < 7.74 | 7.74 |
| drupal | drupal | >= 7.0.0 < 7.74 | 7.74 |
| drupal | drupal | >= 8.0.0 < 8.8.11 | 8.8.11 |
| drupal | drupal | >= 8.8.0 < 8.8.11 | 8.8.11 |
| drupal | drupal | >= 8.9.0 < 8.9.9 | 8.9.9 |
| drupal | drupal | >= 8.9.0 < 8.9.9 | 8.9.9 |
| drupal | drupal | >= 9.0.0 < 9.0.8 | 9.0.8 |
| drupal | drupal | >= 9.0.0 < 9.0.8 | 9.0.8 |
| drupal | drupal_core | — | — |
| drupal | drupal_core | — | — |
| drupal | drupal_core | — | — |
| drupal | drupal_core | — | — |
| drupal | drupal_core | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Hunt for uploaded files containing multiple extensions where a dangerous extension (phar, php, pl, py, cgi, asp, js, html, htm, phtml) precedes one or more additional extensions, and the combined extension string does NOT contain an underscore (_). ↗
- →Audit all previously uploaded files in Drupal's file store for malicious multi-extension filenames, paying special attention to the dangerous extensions list even when followed by one or more additional extensions. ↗
- →Files with these dangerous extensions may be executed as PHP or served with incorrect MIME types depending on hosting configuration — monitor web server logs for unexpected execution of uploaded files. ↗
- ·Exploitation (PHP execution) is dependent on hosting configuration — not all configurations will execute the malicious file as PHP; impact varies by server setup. ↗
- ·The dangerous extensions list is explicitly noted as non-exhaustive; other unmunged extensions should be evaluated on a case-by-case basis. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
osv8.8HIGH
vulncheck8.8HIGH
cisa8.8HIGH
vendor_ubuntu8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
drupal7 vulnerabilities
osv·2024-09-03·CVSS 8.8
CVE-2020-13671 [HIGH] drupal7 vulnerabilities
drupal7 vulnerabilities
USN-6981-1 fixed vulnerabilities in Drupal. This update provides the
corresponding updates for Ubuntu 14.04 LTS.
Original advisory details:
It was discovered that Drupal incorrectly sanitized uploaded filenames. A
remote attacker could possibly use this issue to execute arbitrary code.
(CVE-2020-13671)
It was discovered that Drupal incorrectly sanitized archived filenames. A
remote attacker could possibly use this issue to overwrite arbitrary
files, or execute arbitrary code. (CVE-2020-28948, CVE-2020-28949)
OSV
drupal7 vulnerabilities
osv·2024-08-27·CVSS 8.8
CVE-2020-13671 [HIGH] drupal7 vulnerabilities
drupal7 vulnerabilities
It was discovered that Drupal incorrectly sanitized uploaded filenames. A
remote attacker could possibly use this issue to execute arbitrary code.
(CVE-2020-13671)
It was discovered that Drupal incorrectly sanitized archived filenames. A
remote attacker could possibly use this issue to overwrite arbitrary files,
or execute arbitrary code. (CVE-2020-28948, CVE-2020-28949)
GHSA
Drupal core Unrestricted Upload of File with Dangerous Type
ghsa·2021-10-12
CVE-2020-13671 [HIGH] CWE-434 Drupal core Unrestricted Upload of File with Dangerous Type
Drupal core Unrestricted Upload of File with Dangerous Type
Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0 versions prior to 9.0.8, 8.9 versions prior to 8.9.9, 8.8 versions prior to 8.8.11, and 7 versions prior to 7.74.
OSV
Drupal core Unrestricted Upload of File with Dangerous Type
osv·2021-10-12
CVE-2020-13671 [HIGH] Drupal core Unrestricted Upload of File with Dangerous Type
Drupal core Unrestricted Upload of File with Dangerous Type
Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0 versions prior to 9.0.8, 8.9 versions prior to 8.9.9, 8.8 versions prior to 8.8.11, and 7 versions prior to 7.74.
OSV
CVE-2020-13671: Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and s
osv·2020-11-20·CVSS 8.8
CVE-2020-13671 [HIGH] CVE-2020-13671: Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and s
Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0 versions prior to 9.0.8, 8.9 versions prior to 8.9.9, 8.8 versions prior to 8.8.11, and 7 versions prior to 7.74.
OSV
CVE-2020-13671: *Update November 18: Documented longer list of dangerous file extensions*
Drupal core does not properly sanitize certain filenames on uploaded files,
osv·2020-11-18
CVE-2020-13671 CVE-2020-13671: *Update November 18: Documented longer list of dangerous file extensions*
Drupal core does not properly sanitize certain filenames on uploaded files,
*Update November 18: Documented longer list of dangerous file extensions*
Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations.
VulnCheck
Drupal core Un-restricted Upload of File
vulncheck·2020·CVSS 8.8
CVE-2020-13671 [HIGH] CWE-434 Drupal core Un-restricted Upload of File
Drupal core Un-restricted Upload of File
Improper sanitization in the extension file names is present in Drupal core.
Affected: Drupal Drupal Core
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://unit42.paloaltonetworks.com/network-attack-trends-winter-2020/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://info.securin.io/hubfs/Securin%20Ransomware%20Report%202023.pdf; https://www.trustwave.com/hubfs/Web/Library/Documents_pdf/2024_Trustwave_Public_Sector_Threat_Landscape.pdf
Remediation Due: 2022-07-18
Ubuntu
Drupal vulnerabilities
vendor_ubuntu·2024-09-03·CVSS 8.8
CVE-2020-13671 [HIGH] Drupal vulnerabilities
Title: Drupal vulnerabilities
Summary: Drupal could be made to crash or run programs if it received
specially crafted network traffic.
USN-6981-1 fixed vulnerabilities in Drupal. This update provides the
corresponding updates for Ubuntu 14.04 LTS.
Original advisory details:
It was discovered that Drupal incorrectly sanitized uploaded filenames. A
remote attacker could possibly use this issue to execute arbitrary code.
(CVE-2020-13671)
It was discovered that Drupal incorrectly sanitized archived filenames. A
remote attacker could possibly use this issue to overwrite arbitrary
files, or execute arbitrary code. (CVE-2020-28948, CVE-2020-28949)
Instructions: In general, a standard system update will make all the necessary changes.
Ubuntu
Drupal vulnerabilities
vendor_ubuntu·2024-08-27·CVSS 8.8
CVE-2020-13671 [HIGH] Drupal vulnerabilities
Title: Drupal vulnerabilities
Summary: Drupal could be made to crash or run programs if it received
specially crafted network traffic.
It was discovered that Drupal incorrectly sanitized uploaded filenames. A
remote attacker could possibly use this issue to execute arbitrary code.
(CVE-2020-13671)
It was discovered that Drupal incorrectly sanitized archived filenames. A
remote attacker could possibly use this issue to overwrite arbitrary files,
or execute arbitrary code. (CVE-2020-28948, CVE-2020-28949)
Instructions: In general, a standard system update will make all the necessary changes.
CISA
Drupal core Un-restricted Upload of File
cisa·2022-01-18·CVSS 8.8
CVE-2020-13671 [HIGH] CWE-434 Drupal core Un-restricted Upload of File
Vulnerability: Drupal core Un-restricted Upload of File
Affected: Drupal Drupal core
Improper sanitization in the extension file names is present in Drupal core.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2020-13671
Remediation Due Date: 2022-07-18
Drupal
Drupal core - Critical - Remote code execution - SA-CORE-2020-012
vendor_drupal·2020-11-18
CVE-2020-13671 [HIGH] Drupal core - Critical - Remote code execution - SA-CORE-2020-012
Title: Drupal core - Critical - Remote code execution - SA-CORE-2020-012
Vulnerability Type: Remote code execution
Description: Update November 18: Documented longer list of dangerous file extensions Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations.
Solution: Install the latest version: If you are using Drupal 9.0, update to Drupal 9.0.8 If you are using Drupal 8.9, update to Drupal 8.9.9 If you are using Drupal 8.8 or earlier, update to Drupal 8.8.11 If you are using Drupal 7, update to Drupal 7.74 Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage. Additionally, it's
No detection rules found.
No public exploits indexed.
Tenable
CVE-2026-9082: Highly Critical SQL Injection Vulnerability in Drupal Core (SA-CORE-2026-004)
blogs_tenable·2026-05-21·CVSS 6.5
CVE-2026-9082 [MEDIUM] CVE-2026-9082: Highly Critical SQL Injection Vulnerability in Drupal Core (SA-CORE-2026-004)
## Exposure Management
## Explore By Use Case
## Explore By Industry
## Tenable is the one clear leader in Exposure Management
## Exposure management
resource center
## Accelerate your exposure management strategy with practical resources and tools.
## Explore By Use Case
## Explore By Industry
## Tenable is the one clear leader in Exposure Management
## Exposure management
resource center
## Accelerate your exposure management strategy with practical resources and tools.
## CVE-2026-9082: Highly Critical SQL Injection Vulnerability in Drupal Core (SA-CORE-2026-004)
A highly critical SQL injection vulnerability in Drupal core's database abstraction layer affects sites running PostgreSQL.
## Key Takeaways
CVE-2026-9082 is a highly critical SQL injection vulnerabi
Qualys
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
blogs_qualys·2022-02-23
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
#### Table of Contents
- Situation
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISA Vulnerabilities Using Qualys VMDR
- CISA Exploited RTI
- Detailed Operational Dashboard
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively.
## Situation
Last November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directiv
Unit42
Network Attack Trends: Internet of Threats (November 2020-January 2021)
blogs_unit42·2021-04-12·CVSS 7.5
CVE-2020-28188 [HIGH] Network Attack Trends: Internet of Threats (November 2020-January 2021)
# Executive Summary
Unit 42 researchers analyzed network attack trends over Winter 2020 and discovered many interesting exploits in the wild. During the period of Nov. 2020 to Jan. 2021, the majority of the attacks we observed were classified as critical (75%), compared to the 50.4% we reported in the fall of 2020. Several newly observed exploits, including CVE-2020-28188, CVE-2020-17519, and CVE-2020-29227, have emerged and were continuously being exploited in the wild as of late 2020 to early 2021.
This blog provides details of the newly observed exploits as well as a dive deep into the exploitation analysis, vendor analysis, attack origin, and attack category distribution.
Palo Alto Networks Next-Generation Firewall customers are protected from these attacks with the URL Filtering an
Unit42
Network Attack Trends: Internet of Threats (November 2020-January 2021)
blogs_unit42·2021-04-12·CVSS 7.5
[HIGH] Network Attack Trends: Internet of Threats (November 2020-January 2021)
Threat Research Center
Trend Reports
Vulnerabilities
## Network Attack Trends: Internet of Threats (November 2020-January 2021)
Lei Xu
Yue Guan
Vaibhav Singhal
Published: April 12, 2021
Malware
Trend Reports
Vulnerabilities
Botnet
DDoS
Exploit kit
IoT
Network security trends
## Executive Summary
Unit 42 researchers analyzed network attack trends over Winter 2020 and discovered many interesting exploits in the wild. During the period of Nov. 2020 to Jan. 2021, the majority of the attacks we observed were classified as critical (75%), compared to the 50.4% we reported in the fall of 2020 . Several newly observed exploits, including CVE-2020-28188 , CVE-2020-17519 , and CVE-2020-29227 , have emerged and were continuously being exploited in the wild as of late 2020 to earl
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT/https://www.drupal.org/sa-core-2020-012https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT/https://www.drupal.org/sa-core-2020-012https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-13671
2020-11-20
Published
2022-01-18
Added to CISA KEV
Exploited in the wild