8.8

CVE-2020-13671

Warnung
Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0 versions prior to 9.0.8, 8.9 versions prior to 8.9.9, 8.8 versions prior to 8.8.11, and 7 versions prior to 7.74.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
DrupalDrupal Version >= 7.0 < 7.74
DrupalDrupal Version >= 8.8.0 < 8.8.11
DrupalDrupal Version >= 8.9.0 < 8.9.9
DrupalDrupal Version >= 9.0.0 < 9.0.8
FedoraprojectFedora Version32
FedoraprojectFedora Version33

18.01.2022: CISA Known Exploited Vulnerabilities (KEV) Catalog

Drupal core Un-restricted Upload of File

Schwachstelle

Improper sanitization in the extension file names is present in Drupal core.

Beschreibung

Apply updates per vendor instructions.

Erforderliche Maßnahmen
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 4.27% 0.898
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 6.5 8 6.4
AV:N/AC:L/Au:S/C:P/I:P/A:P
134c704f-9b21-4f2e-91b3-4a467353bcc0 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-434 Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437/
Mailing List
Release Notes
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT/
Mailing List
Release Notes
https://www.drupal.org/sa-core-2020-012
Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-13671
US Government Resource