CVE-2020-13671
CVE-2020-13671
In short
Drupal doesn't properly clean up filenames when users upload files, which can trick servers into running uploaded files as PHP code or treating them as wrong file types. This could let attackers execute harmful code on the website.
Technical detail
CWE-434: Improper Restriction of Rendered UI Layers or Frames. Insufficient filename sanitization in Drupal file upload handling allows attackers to bypass MIME type validation through specially crafted filenames, leading to arbitrary PHP code execution on susceptible hosting configurations. The vulnerability affects Drupal versions prior to 9.0.8, 8.9.9, 8.8.11, and 7.74.
Summary generated and translated by AI from the official description.
Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0 versions prior to 9.0.8, 8.9 versions prior to 8.9.9, 8.8 versions prior to 8.8.11, and 7 versions prior to 7.74.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected products
Drupal · Drupal CoreWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-13671https://www.drupal.org/sa-core-2020-012