CVE-2020-13675
CRITICALDrupal 8.0.0-8.9.18 - Improper Access Control in JSON:API and REST/File Modules
Title source: llmDescription
Drupal's JSON:API and REST/File modules allow file uploads through their HTTP APIs. The modules do not correctly run all file validation, which causes an access bypass vulnerability. An attacker might be able to upload files that bypass the file validation process implemented by modules on the site.
References (1)
Core 1
Core References
Mitigation, Patch, Vendor Advisory x_refsource_confirm
https://www.drupal.org/sa-core-2021-008
Scores
CVSS v3
9.8
EPSS
0.0122
EPSS Percentile
64.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-284
CWE-434
Status
published
Products (2)
drupal/core
8.0.0 - 8.9.19Packagist
drupal/drupal
8.0.0 - 8.9.19
Published
Feb 11, 2022
Tracked Since
Feb 18, 2026