VDB
CVE-2020-13671
CVE-2020-13671
PUBLISHED
KEV
Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0 versions prior to 9.0.8, 8.9 versions prior to 8.9.9, 8.8 versions prior to 8.8.11, and 7 versions prior to 7.74.
EPSS 4.50% · 89.3th percentile
Risk Scores
EPSS Score
4.50%
89.3th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Bitnami | drupal | 7.0.0, 8.8.0, 8.9.0 |
| Bitnami | drupal | 7.0.0, 8.8.0, 7.0.0 |
Timeline
- Nov 18, 2020 CVE Published
- Apr 14, 2021 EPSS Score
- Aug 24, 2021 EPSS Score
- Dec 27, 2021 EPSS Score
- Jan 18, 2022 CISA KEV Added
- Feb 4, 2022 EPSS Score
- Feb 27, 2022 EPSS Score
- May 1, 2022 EPSS Score
- Sep 4, 2022 EPSS Score
- Jan 7, 2023 EPSS Score
- May 12, 2023 EPSS Score
- Jun 14, 2023 PoC Published
References
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437/ url
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT/ url
- https://www.drupal.org/sa-core-2020-012 url
- https://nvd.nist.gov/vuln/detail/CVE-2020-13671 url
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-13671 url