CVE-2020-13671

HIGH8.8⚠ KEVEPSS 4.5%

Drupal core Unrestricted Upload of File with Dangerous Type

發布日:2020/11/18修改日:2025/12/10加入 CISA KEV 日:2022/1/18

也稱為:GHSA-68jc-v27h-vhmwBIT-drupal-2020-13671DRUPAL-CORE-2020-012

描述

Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0 versions prior to 9.0.8, 8.9 versions prior to 8.9.9, 8.8 versions prior to 8.8.11, and 7 versions prior to 7.74.

受影響套件(4)

Bitnami/drupal>= 7.0.0, < 7.74.0, >= 8.8.0, < 8.8.11, >= 8.9.0, < 8.9.9, >= 9.0.0, < 9.0.8
Packagist/drupal/core>= 8.0.0, < 8.8.11 | >= 8.9.0, < 8.9.9 | >= 9.0.0, < 9.0.8
Packagist/drupal/core>= 9.0.0, < 9.0.8
Packagist/drupal/drupal>= 7.0.0, < 7.74

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H

描述

受影響套件(4)

CVSS 分數

參考連結(12)