High severityCISA KEVNVD Advisory· Published Nov 20, 2020· Updated Oct 21, 2025
CVE-2020-13671
CVE-2020-13671
Description
Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0 versions prior to 9.0.8, 8.9 versions prior to 8.9.9, 8.8 versions prior to 8.8.11, and 7 versions prior to 7.74.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
drupal/corePackagist | >= 9.0.0, < 9.0.8 | 9.0.8 |
drupal/corePackagist | >= 8.9.0, < 8.9.9 | 8.9.9 |
drupal/corePackagist | >= 8.0.0, < 8.8.11 | 8.8.11 |
drupal/corePackagist | >= 7.0.0, < 7.74 | 7.74 |
drupal/drupalPackagist | >= 7.0.0, < 7.74 | 7.74 |
drupal/drupalPackagist | >= 8.0.0, < 8.8.11 | 8.8.11 |
drupal/drupalPackagist | >= 8.9.0, < 8.9.9 | 8.9.9 |
drupal/drupalPackagist | >= 9.0.0, < 9.0.8 | 9.0.8 |
Affected products
1- Drupal/Drupal Corev5Range: 9.0 versions prior to 9.0.8
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
12- github.com/advisories/GHSA-68jc-v27h-vhmwghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2020-13671ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2020-13671.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2020-13671.yamlghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUTghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUTghsaWEB
- www.cisa.gov/known-exploited-vulnerabilities-catalogghsaWEB
- www.drupal.org/sa-core-2020-012ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.