Search for vulnerabilities
Vulnerability details: VCID-cnay-ga6u-aaar
Vulnerability ID VCID-cnay-ga6u-aaar
Aliases CVE-2020-13671
GHSA-68jc-v27h-vhmw
Summary Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0 versions prior to 9.0.8, 8.9 versions prior to 8.9.9, 8.8 versions prior to 8.8.11, and 7 versions prior to 7.74.
Status Published
Exploitability 2.0
Weighted Severity 9.0
Risk 10.0
Affected and Fixed Packages Package Details
Weaknesses (3)
System Score Found at
epss 0.04323 https://api.first.org/data/v1/epss?cve=CVE-2020-13671
epss 0.04323 https://api.first.org/data/v1/epss?cve=CVE-2020-13671
epss 0.04323 https://api.first.org/data/v1/epss?cve=CVE-2020-13671
epss 0.04323 https://api.first.org/data/v1/epss?cve=CVE-2020-13671
epss 0.04323 https://api.first.org/data/v1/epss?cve=CVE-2020-13671
epss 0.04323 https://api.first.org/data/v1/epss?cve=CVE-2020-13671
epss 0.04323 https://api.first.org/data/v1/epss?cve=CVE-2020-13671
epss 0.04323 https://api.first.org/data/v1/epss?cve=CVE-2020-13671
epss 0.04323 https://api.first.org/data/v1/epss?cve=CVE-2020-13671
epss 0.04323 https://api.first.org/data/v1/epss?cve=CVE-2020-13671
epss 0.04323 https://api.first.org/data/v1/epss?cve=CVE-2020-13671
epss 0.04323 https://api.first.org/data/v1/epss?cve=CVE-2020-13671
epss 0.04323 https://api.first.org/data/v1/epss?cve=CVE-2020-13671
epss 0.04323 https://api.first.org/data/v1/epss?cve=CVE-2020-13671
epss 0.04323 https://api.first.org/data/v1/epss?cve=CVE-2020-13671
epss 0.04323 https://api.first.org/data/v1/epss?cve=CVE-2020-13671
epss 0.04323 https://api.first.org/data/v1/epss?cve=CVE-2020-13671
epss 0.04323 https://api.first.org/data/v1/epss?cve=CVE-2020-13671
epss 0.04323 https://api.first.org/data/v1/epss?cve=CVE-2020-13671
epss 0.04323 https://api.first.org/data/v1/epss?cve=CVE-2020-13671
epss 0.04323 https://api.first.org/data/v1/epss?cve=CVE-2020-13671
epss 0.04323 https://api.first.org/data/v1/epss?cve=CVE-2020-13671
epss 0.04323 https://api.first.org/data/v1/epss?cve=CVE-2020-13671
epss 0.04323 https://api.first.org/data/v1/epss?cve=CVE-2020-13671
epss 0.04323 https://api.first.org/data/v1/epss?cve=CVE-2020-13671
epss 0.07758 https://api.first.org/data/v1/epss?cve=CVE-2020-13671
epss 0.07758 https://api.first.org/data/v1/epss?cve=CVE-2020-13671
epss 0.07758 https://api.first.org/data/v1/epss?cve=CVE-2020-13671
epss 0.16649 https://api.first.org/data/v1/epss?cve=CVE-2020-13671
epss 0.16649 https://api.first.org/data/v1/epss?cve=CVE-2020-13671
epss 0.16649 https://api.first.org/data/v1/epss?cve=CVE-2020-13671
epss 0.16649 https://api.first.org/data/v1/epss?cve=CVE-2020-13671
epss 0.16649 https://api.first.org/data/v1/epss?cve=CVE-2020-13671
epss 0.16649 https://api.first.org/data/v1/epss?cve=CVE-2020-13671
epss 0.16649 https://api.first.org/data/v1/epss?cve=CVE-2020-13671
epss 0.16649 https://api.first.org/data/v1/epss?cve=CVE-2020-13671
epss 0.16649 https://api.first.org/data/v1/epss?cve=CVE-2020-13671
epss 0.16649 https://api.first.org/data/v1/epss?cve=CVE-2020-13671
epss 0.16649 https://api.first.org/data/v1/epss?cve=CVE-2020-13671
epss 0.16649 https://api.first.org/data/v1/epss?cve=CVE-2020-13671
epss 0.16649 https://api.first.org/data/v1/epss?cve=CVE-2020-13671
epss 0.16649 https://api.first.org/data/v1/epss?cve=CVE-2020-13671
epss 0.16649 https://api.first.org/data/v1/epss?cve=CVE-2020-13671
epss 0.16649 https://api.first.org/data/v1/epss?cve=CVE-2020-13671
epss 0.16649 https://api.first.org/data/v1/epss?cve=CVE-2020-13671
epss 0.16649 https://api.first.org/data/v1/epss?cve=CVE-2020-13671
epss 0.16649 https://api.first.org/data/v1/epss?cve=CVE-2020-13671
epss 0.16649 https://api.first.org/data/v1/epss?cve=CVE-2020-13671
epss 0.16649 https://api.first.org/data/v1/epss?cve=CVE-2020-13671
epss 0.16649 https://api.first.org/data/v1/epss?cve=CVE-2020-13671
epss 0.16649 https://api.first.org/data/v1/epss?cve=CVE-2020-13671
epss 0.16649 https://api.first.org/data/v1/epss?cve=CVE-2020-13671
epss 0.16649 https://api.first.org/data/v1/epss?cve=CVE-2020-13671
epss 0.16649 https://api.first.org/data/v1/epss?cve=CVE-2020-13671
epss 0.16649 https://api.first.org/data/v1/epss?cve=CVE-2020-13671
epss 0.16649 https://api.first.org/data/v1/epss?cve=CVE-2020-13671
epss 0.16649 https://api.first.org/data/v1/epss?cve=CVE-2020-13671
epss 0.16649 https://api.first.org/data/v1/epss?cve=CVE-2020-13671
epss 0.46007 https://api.first.org/data/v1/epss?cve=CVE-2020-13671
epss 0.53723 https://api.first.org/data/v1/epss?cve=CVE-2020-13671
epss 0.53723 https://api.first.org/data/v1/epss?cve=CVE-2020-13671
epss 0.53723 https://api.first.org/data/v1/epss?cve=CVE-2020-13671
epss 0.53723 https://api.first.org/data/v1/epss?cve=CVE-2020-13671
epss 0.53723 https://api.first.org/data/v1/epss?cve=CVE-2020-13671
epss 0.53723 https://api.first.org/data/v1/epss?cve=CVE-2020-13671
epss 0.53723 https://api.first.org/data/v1/epss?cve=CVE-2020-13671
epss 0.53723 https://api.first.org/data/v1/epss?cve=CVE-2020-13671
epss 0.53723 https://api.first.org/data/v1/epss?cve=CVE-2020-13671
epss 0.53723 https://api.first.org/data/v1/epss?cve=CVE-2020-13671
epss 0.53723 https://api.first.org/data/v1/epss?cve=CVE-2020-13671
epss 0.67655 https://api.first.org/data/v1/epss?cve=CVE-2020-13671
epss 0.67655 https://api.first.org/data/v1/epss?cve=CVE-2020-13671
epss 0.67655 https://api.first.org/data/v1/epss?cve=CVE-2020-13671
epss 0.67655 https://api.first.org/data/v1/epss?cve=CVE-2020-13671
epss 0.73668 https://api.first.org/data/v1/epss?cve=CVE-2020-13671
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-68jc-v27h-vhmw
cvssv3.1 6.5 https://github.com/drupal/core
generic_textual CRITICAL https://github.com/drupal/core
cvssv3.1 8.8 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437
generic_textual HIGH https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437
cvssv3.1 8.8 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437/
ssvc Attend https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437/
cvssv3.1 8.8 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT
generic_textual HIGH https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT
cvssv3.1 8.8 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT/
ssvc Attend https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT/
cvssv3.1 7.8 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437
generic_textual HIGH https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437
cvssv3.1 7.8 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT
generic_textual HIGH https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT
cvssv2 6.5 https://nvd.nist.gov/vuln/detail/CVE-2020-13671
cvssv3 8.8 https://nvd.nist.gov/vuln/detail/CVE-2020-13671
cvssv3.1 8.8 https://nvd.nist.gov/vuln/detail/CVE-2020-13671
cvssv3.1 8.8 https://www.drupal.org/sa-core-2020-012
generic_textual HIGH https://www.drupal.org/sa-core-2020-012
ssvc Attend https://www.drupal.org/sa-core-2020-012
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2020-13671
https://github.com/drupal/core
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT/
https://www.drupal.org/sa-core-2020-012
cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
CVE-2020-13671 https://nvd.nist.gov/vuln/detail/CVE-2020-13671
CVE-2020-13671.YAML https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2020-13671.yaml
CVE-2020-13671.YAML https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2020-13671.yaml
GHSA-68jc-v27h-vhmw https://github.com/advisories/GHSA-68jc-v27h-vhmw
USN-6981-1 https://usn.ubuntu.com/6981-1/
USN-6981-2 https://usn.ubuntu.com/6981-2/
Data source KEV
Date added Jan. 18, 2022
Description Improper sanitization in the extension file names is present in Drupal core.
Required action Apply updates per vendor instructions.
Due date July 18, 2022
Note
https://nvd.nist.gov/vuln/detail/CVE-2020-13671
Ransomware campaign use Unknown
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/drupal/core
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none


Vector: SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-07T12:38:31Z/ Found at https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437/
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none


Vector: SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-07T12:38:31Z/ Found at https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT/
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P Found at https://nvd.nist.gov/vuln/detail/CVE-2020-13671
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2020-13671
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2020-13671
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://www.drupal.org/sa-core-2020-012
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none


Vector: SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-07T12:38:31Z/ Found at https://www.drupal.org/sa-core-2020-012
Exploit Prediction Scoring System (EPSS)
Percentile 0.88275
EPSS Score 0.04323
Published At May 15, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
There are no relevant records.