CVE-2020-13671

HIGH KEV RANSOMWARE

Drupal < 7.74 - Unrestricted File Upload

Title source: rule

Description

Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0 versions prior to 9.0.8, 8.9 versions prior to 8.9.9, 8.8 versions prior to 8.8.11, and 7 versions prior to 7.74.

References (4)

[Mailing List, Release Notes] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437/

[Mailing List, Release Notes] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT/

[Vendor Advisory] https://www.drupal.org/sa-core-2020-012

[US Government Resource] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-13671

Scores

CVSS v3 8.8

EPSS 0.0450

EPSS Percentile 89.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CISA KEV 2022-01-18

VulnCheck KEV 2021-04-12

InTheWild.io 2021-04-12

ENISA EUVD EUVD-2021-2168

Ransomware Use Confirmed

CWE

CWE-434

Status published

Products (5)

drupal/core 9.0.0 - 9.0.8Packagist

drupal/drupal 7.0 - 7.74

drupal/drupal 7.0.0 - 7.74Packagist

fedoraproject/fedora 32

fedoraproject/fedora 33

Published Nov 20, 2020

KEV Added Jan 18, 2022

Tracked Since Feb 18, 2026