VYPR
High severityCISA KEVNVD Advisory· Published Nov 20, 2020· Updated Oct 21, 2025

CVE-2020-13671

CVE-2020-13671

Description

Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0 versions prior to 9.0.8, 8.9 versions prior to 8.9.9, 8.8 versions prior to 8.8.11, and 7 versions prior to 7.74.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
drupal/corePackagist
>= 9.0.0, < 9.0.89.0.8
drupal/corePackagist
>= 8.9.0, < 8.9.98.9.9
drupal/corePackagist
>= 8.0.0, < 8.8.118.8.11
drupal/corePackagist
>= 7.0.0, < 7.747.74
drupal/drupalPackagist
>= 7.0.0, < 7.747.74
drupal/drupalPackagist
>= 8.0.0, < 8.8.118.8.11
drupal/drupalPackagist
>= 8.9.0, < 8.9.98.9.9
drupal/drupalPackagist
>= 9.0.0, < 9.0.89.0.8

Affected products

4

Patches

Vulnerability mechanics

References

12

News mentions

1