CVE-2020-13671

HIGH KEV RANSOMWARE

Drupal Core < 7.74, 8.8.11, 8.9.9, 9.0.8 - Unrestricted Upload of File with Dangerous Type

Title source: llm

Exploitation Summary

CVE-2020-13671 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added January 18, 2022, with confirmed use in ransomware campaigns.

Description

Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0 versions prior to 9.0.8, 8.9 versions prior to 8.9.9, 8.8 versions prior to 8.8.11, and 7 versions prior to 7.74.

References (4)

Core 4

Core References

Vendor Advisory x_refsource_confirm

https://www.drupal.org/sa-core-2020-012

Mailing List, Release Notes vendor-advisory x_refsource_fedora

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT/

Mailing List, Release Notes vendor-advisory x_refsource_fedora

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437/

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-13671

Scores

CVSS v3 8.8

EPSS 0.0260

EPSS Percentile 86.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Details

CISA KEV 2022-01-18

VulnCheck KEV 2021-04-12

InTheWild.io 2021-04-12

ENISA EUVD EUVD-2021-2168

Ransomware Use Confirmed

CWE

CWE-434

Status published

Products (5)

drupal/core 9.0.0 - 9.0.8Packagist

drupal/drupal 7.0 - 7.74

drupal/drupal 7.0.0 - 7.74Packagist

fedoraproject/fedora 32

fedoraproject/fedora 33

Published Nov 20, 2020

KEV Added Jan 18, 2022

Tracked Since Feb 18, 2026