Cyber Resilience

CVE-2020-13671

HighCISA KEVActive ExploitationEUVD Exploited

Published: 20 November 2020

Published
20 November 2020
Modified
03 November 2025
KEV Added
18 January 2022
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0260 85.9th percentile
Risk Priority 39 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-13671 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Drupal Drupal. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 14.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

Drupal core fails to properly sanitize certain filenames during file uploads, which can cause uploaded content to be interpreted under an incorrect extension. This leads to the file being served with the wrong MIME type or executed as PHP code under specific hosting configurations. The flaw affects Drupal Core versions 9.0 prior to 9.0.8, 8.9 prior to 8.9.9, 8.8 prior to 8.8.11, and 7 prior to 7.74, and is tracked under CWE-434.

An authenticated attacker with the ability to upload files can exploit the issue over the network with low complexity. Successful exploitation grants full control over confidentiality, integrity, and availability by allowing malicious files to be stored and later executed or served in an unintended manner, corresponding to the CVSS 8.8 rating.

The referenced Drupal security advisory SA-CORE-2020-012 and associated Fedora package announcements direct administrators to apply the fixed releases (7.74, 8.8.11, 8.9.9, or 9.0.8) as the primary mitigation. No public details on in-the-wild exploitation are provided in the source references.

EU & UK References

Vulnerability details

Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects:…

more

Drupal Drupal Core 9.0 versions prior to 9.0.8, 8.9 versions prior to 8.9.9, 8.8 versions prior to 8.8.11, and 7 versions prior to 7.74.

CWE(s)
KEV Date Added
18 January 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

drupal
drupal
7.0 — 7.74 · 8.8.0 — 8.8.11 · 8.9.0 — 8.9.9
fedoraproject
fedora
32, 33

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces validation and sanitization of filename inputs during file uploads to block dangerous extension manipulation.

prevent

Requires prompt application of the vendor patches (7.74/8.8.11/8.9.9/9.0.8) that correct the filename sanitization flaw.

preventdetect

Provides malicious-code scanning and execution blocking for uploaded files that evade filename sanitization.

References