Vulnerability Name: | CVE-2020-13671 (CCN-191949) | ||||||||||||
Assigned: | 2020-11-18 | ||||||||||||
Published: | 2020-11-18 | ||||||||||||
Updated: | 2022-01-01 | ||||||||||||
Summary: | Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0 versions prior to 9.0.8, 8.9 versions prior to 8.9.9, 8.8 versions prior to 8.8.11, and 7 versions prior to 7.74. | ||||||||||||
CVSS v3 Severity: | 8.8 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) 7.7 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
8.5 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
| ||||||||||||
CVSS v2 Severity: | 6.5 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P)
| ||||||||||||
Vulnerability Type: | CWE-434 | ||||||||||||
Vulnerability Consequences: | Gain Access | ||||||||||||
References: | Source: MITRE Type: CNA CVE-2020-13671 Source: XF Type: UNKNOWN drupal-cve202013671-code-exec(191949) Source: FEDORA Type: Mailing List, Third Party Advisory FEDORA-2020-d50d74d6f2 Source: FEDORA Type: Mailing List, Third Party Advisory FEDORA-2020-6f1079934c Source: CCN Type: CYBERSECURITY & INFRASTRUCTURE SECURITY AGENCY KNOWN EXPLOITED VULNERABILITIES CATALOG Source: CCN Type: SA-CORE-2020-012 Drupal core - Critical - Remote code execution Source: CONFIRM Type: Vendor Advisory https://www.drupal.org/sa-core-2020-012 Source: CCN Type: IBM Security Bulletin 6410870 (API Connect) IBM API Connect's Developer Portal is vulnerable to arbitrary code excution in Drupal Core (CVE-2020-13671) Source: CCN Type: WhiteSource Vulnerability Database CVE-2020-13671 | ||||||||||||
Vulnerable Configuration: | Configuration 1: Configuration 2: Configuration CCN 1: ![]() | ||||||||||||
BACK |