What is CVE-2020-13671?

CVE-2020-13671 is a vulnerability in Drupal Core. Published 2020-11-20.

Is CVE-2020-13671 known to be exploited?

Yes. CVE-2020-13671 is listed in the CISA Known Exploited Vulnerabilities catalog (added 2022-01-18), indicating it is being actively exploited. 4 public proof-of-concept repositories are indexed.

Vulnerability in Drupal Core

CVE-2020-13671

Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This…

EPSS: 0.045 (89.3th percentile) — read the EPSS interpretation.

Affected products

Drupal Core — versions 9.0 versions prior to 9.0.8, 8.9 versions prior to 8.9.9, 8.8 versions prior to 8.8.11

CISA KEV (Known Exploited Vulnerabilities)

This CVE is on the CISA KEV catalog, added on 2022-01-18. CISA KEV inclusion means CISA has confirmed in-the-wild exploitation; US federal agencies are required to remediate within a published due date.

BOD 22-01 due date: 2022-07-18.

Required action: Apply updates per vendor instructions.

Public proof-of-concept exploits

References

www.drupal.org/sa-core-2020-012 (x_refsource_CONFIRM)
FEDORA-2020-6f1079934c (vendor-advisory, x_refsource_FEDORA)
FEDORA-2020-d50d74d6f2 (vendor-advisory, x_refsource_FEDORA)

Frequently asked questions

What is CVE-2020-13671?: CVE-2020-13671 is a vulnerability in Drupal Core. Published 2020-11-20.
Is CVE-2020-13671 known to be exploited?: Yes. CVE-2020-13671 is listed in the CISA Known Exploited Vulnerabilities catalog (added 2022-01-18), indicating it is being actively exploited. 4 public proof-of-concept repositories are indexed.