CVE-2020-13671 – drupal/core

Package

Manager: composer
Name: drupal/core
Vulnerable Version: >=9.0.0 <9.0.8 || >=8.9.0 <8.9.9 || >=8.0.0 <8.8.11 || >=7.0.0 <7.74

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.07491 pctl0.91408

Details

Drupal core Unrestricted Upload of File with Dangerous Type Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0 versions prior to 9.0.8, 8.9 versions prior to 8.9.9, 8.8 versions prior to 8.8.11, and 7 versions prior to 7.74.

Metadata

Created: 2021-10-12T16:28:25Z
Modified: 2024-07-25T14:54:34Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/10/GHSA-68jc-v27h-vhmw/GHSA-68jc-v27h-vhmw.json
CWE IDs: ["CWE-434"]
Alternative ID: GHSA-68jc-v27h-vhmw
Finding: F027
Auto approve: 1