Vulnerability Details CVE-2020-13671
Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0 versions prior to 9.0.8, 8.9 versions prior to 8.9.9, 8.8 versions prior to 8.8.11, and 7 versions prior to 7.74.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.059
EPSS Ranking 90.1%
CVSS Severity
CVSS v3 Score 8.8
CVSS v2 Score 6.5
Proposed Action
Improper sanitization in the extension file names is present in Drupal core.
Ransomware Campaign
Unknown
References
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT/
- https://www.drupal.org/sa-core-2020-012
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT/
- https://www.drupal.org/sa-core-2020-012
Products affected by CVE-2020-13671
-
cpe:2.3:a:drupal:drupal:7.0
-
cpe:2.3:a:drupal:drupal:7.1
-
cpe:2.3:a:drupal:drupal:7.10
-
cpe:2.3:a:drupal:drupal:7.11
-
cpe:2.3:a:drupal:drupal:7.12
-
cpe:2.3:a:drupal:drupal:7.13
-
cpe:2.3:a:drupal:drupal:7.14
-
cpe:2.3:a:drupal:drupal:7.15
-
cpe:2.3:a:drupal:drupal:7.16
-
cpe:2.3:a:drupal:drupal:7.17
-
cpe:2.3:a:drupal:drupal:7.18
-
cpe:2.3:a:drupal:drupal:7.19
-
cpe:2.3:a:drupal:drupal:7.2
-
cpe:2.3:a:drupal:drupal:7.20
-
cpe:2.3:a:drupal:drupal:7.21
-
cpe:2.3:a:drupal:drupal:7.22
-
cpe:2.3:a:drupal:drupal:7.23
-
cpe:2.3:a:drupal:drupal:7.24
-
cpe:2.3:a:drupal:drupal:7.25
-
cpe:2.3:a:drupal:drupal:7.26
-
cpe:2.3:a:drupal:drupal:7.27
-
cpe:2.3:a:drupal:drupal:7.28
-
cpe:2.3:a:drupal:drupal:7.29
-
cpe:2.3:a:drupal:drupal:7.3
-
cpe:2.3:a:drupal:drupal:7.30
-
cpe:2.3:a:drupal:drupal:7.31
-
cpe:2.3:a:drupal:drupal:7.32
-
cpe:2.3:a:drupal:drupal:7.33
-
cpe:2.3:a:drupal:drupal:7.34
-
cpe:2.3:a:drupal:drupal:7.35
-
cpe:2.3:a:drupal:drupal:7.36
-
cpe:2.3:a:drupal:drupal:7.37
-
cpe:2.3:a:drupal:drupal:7.38
-
cpe:2.3:a:drupal:drupal:7.39
-
cpe:2.3:a:drupal:drupal:7.4
-
cpe:2.3:a:drupal:drupal:7.40
-
cpe:2.3:a:drupal:drupal:7.41
-
cpe:2.3:a:drupal:drupal:7.42
-
cpe:2.3:a:drupal:drupal:7.43
-
cpe:2.3:a:drupal:drupal:7.44
-
cpe:2.3:a:drupal:drupal:7.5
-
cpe:2.3:a:drupal:drupal:7.50
-
cpe:2.3:a:drupal:drupal:7.51
-
cpe:2.3:a:drupal:drupal:7.52
-
cpe:2.3:a:drupal:drupal:7.53
-
cpe:2.3:a:drupal:drupal:7.54
-
cpe:2.3:a:drupal:drupal:7.55
-
cpe:2.3:a:drupal:drupal:7.56
-
cpe:2.3:a:drupal:drupal:7.57
-
cpe:2.3:a:drupal:drupal:7.58
-
cpe:2.3:a:drupal:drupal:7.59
-
cpe:2.3:a:drupal:drupal:7.6
-
cpe:2.3:a:drupal:drupal:7.60
-
cpe:2.3:a:drupal:drupal:7.61
-
cpe:2.3:a:drupal:drupal:7.62
-
cpe:2.3:a:drupal:drupal:7.63
-
cpe:2.3:a:drupal:drupal:7.64
-
cpe:2.3:a:drupal:drupal:7.65
-
cpe:2.3:a:drupal:drupal:7.66
-
cpe:2.3:a:drupal:drupal:7.67
-
cpe:2.3:a:drupal:drupal:7.68
-
cpe:2.3:a:drupal:drupal:7.69
-
cpe:2.3:a:drupal:drupal:7.7
-
cpe:2.3:a:drupal:drupal:7.70
-
cpe:2.3:a:drupal:drupal:7.71
-
cpe:2.3:a:drupal:drupal:7.72
-
cpe:2.3:a:drupal:drupal:7.73
-
cpe:2.3:a:drupal:drupal:7.8
-
cpe:2.3:a:drupal:drupal:7.9
-
cpe:2.3:a:drupal:drupal:8.8.0
-
cpe:2.3:a:drupal:drupal:8.8.1
-
cpe:2.3:a:drupal:drupal:8.8.10
-
cpe:2.3:a:drupal:drupal:8.8.2
-
cpe:2.3:a:drupal:drupal:8.8.3
-
cpe:2.3:a:drupal:drupal:8.8.4
-
cpe:2.3:a:drupal:drupal:8.8.5
-
cpe:2.3:a:drupal:drupal:8.8.6
-
cpe:2.3:a:drupal:drupal:8.8.7
-
cpe:2.3:a:drupal:drupal:8.8.8
-
cpe:2.3:a:drupal:drupal:8.8.9
-
cpe:2.3:a:drupal:drupal:8.9.0
-
cpe:2.3:a:drupal:drupal:8.9.1
-
cpe:2.3:a:drupal:drupal:8.9.2
-
cpe:2.3:a:drupal:drupal:8.9.3
-
cpe:2.3:a:drupal:drupal:8.9.4
-
cpe:2.3:a:drupal:drupal:8.9.5
-
cpe:2.3:a:drupal:drupal:8.9.6
-
cpe:2.3:a:drupal:drupal:8.9.7
-
cpe:2.3:a:drupal:drupal:8.9.8
-
cpe:2.3:a:drupal:drupal:9.0.0
-
cpe:2.3:a:drupal:drupal:9.0.1
-
cpe:2.3:a:drupal:drupal:9.0.2
-
cpe:2.3:a:drupal:drupal:9.0.3
-
cpe:2.3:a:drupal:drupal:9.0.4
-
cpe:2.3:a:drupal:drupal:9.0.5
-
cpe:2.3:a:drupal:drupal:9.0.6
-
cpe:2.3:a:drupal:drupal:9.0.7
-
cpe:2.3:o:fedoraproject:fedora:32
-
cpe:2.3:o:fedoraproject:fedora:33