CVE-2020-13671
unknown
KEV
CVSS v3
—
CVSS v2
—
VIR risk
1.5
Description
Improper sanitization in the extension file names is present in Drupal core.
CISA KEV
- Vendor
- Drupal
- Product
- Drupal core
- Due date
- 2022-07-18
Predictions
Exploit likelihood
99%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: cisa-kev — https://nvd.nist.gov/vuln/detail/CVE-2020-13671
Exploits
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Packagist | drupal/core | >=8.0.0,<8.8.11||>=8.9.0,<8.9.9||>=9.0.0,<9.0.8 | 8.8.11 |
| Packagist | drupal/core | >=9.0.0,<9.0.8 | 9.0.8 |
| Packagist | drupal/core | >=8.9.0,<8.9.9 | 8.9.9 |
| Packagist | drupal/core | >=8.0.0,<8.8.11 | 8.8.11 |
| Packagist | drupal/core | >=7.0.0,<7.74 | 7.74 |
| Packagist | drupal/drupal | >=7.0.0,<7.74 | 7.74 |
| Packagist | drupal/drupal | >=8.0.0,<8.8.11 | 8.8.11 |
| Packagist | drupal/drupal | >=8.9.0,<8.9.9 | 8.9.9 |
| Packagist | drupal/drupal | >=9.0.0,<9.0.8 | 9.0.8 |
References
- https://www.drupal.org/sa-core-2020-012
- https://nvd.nist.gov/vuln/detail/CVE-2020-13671
- https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2020-13671.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2020-13671.yaml
- https://github.com/drupal/core
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-13671
Verify integrity in audit chain (admin only). AS-IS.