Search for vulnerabilities
| Vulnerability ID | VCID-tvzp-jbn9-zbhv |
| Aliases |
GHSA-58xv-7h9r-mx3c
|
| Summary | Drupal Malicious file upload with filenames stating with dot Drupal 8 core's file_save_upload() function does not strip the leading and trailing dot ('.') from filenames, like Drupal 7 did. Users with the ability to upload files with any extension in conjunction with contributed modules may be able to use this to upload system files such as .htaccess in order to bypass protections afforded by Drupal's default .htaccess file. After this fix, file_save_upload() now trims leading and trailing dots from filenames. |
| Status | Published |
| Exploitability | 0.5 |
| Weighted Severity | 6.2 |
| Risk | 3.1 |
| Affected and Fixed Packages | Package Details |
| System | Score | Found at |
|---|---|---|
| cvssv3.1_qr | MODERATE | https://github.com/advisories/GHSA-58xv-7h9r-mx3c |
| generic_textual | MODERATE | https://github.com/drupal/drupal |
| generic_textual | MODERATE | https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/2019-12-18-2.yaml |
| generic_textual | MODERATE | https://www.drupal.org/sa-core-2019-010 |
| Reference id | Reference type | URL |
|---|---|---|
| https://github.com/drupal/drupal | ||
| https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/2019-12-18-2.yaml | ||
| https://www.drupal.org/sa-core-2019-010 | ||
| GHSA-58xv-7h9r-mx3c | https://github.com/advisories/GHSA-58xv-7h9r-mx3c |
No EPSS data available for this vulnerability.
| Date | Actor | Action | Source | VulnerableCode Version |
|---|---|---|---|---|
| 2025-07-31T08:35:10.391394+00:00 | GithubOSV Importer | Import | https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-58xv-7h9r-mx3c/GHSA-58xv-7h9r-mx3c.json | 37.0.0 |