CVE-2020-13671

Name of the Vulnerable Software and Affected Versions Drupal Core versions prior to 9.0.8 Drupal Core versions prior to 8.9.9 Drupal Core versions prior to 8.8.11 Drupal Core versions prior to 7.74

Description The issue is related to the improper sanitization of certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This can allow a remote attacker to execute arbitrary PHP code on the server. The estimated number of potentially affected devices worldwide is not specified.

Recommendations For Drupal Core versions prior to 9.0.8, update to version 9.0.8 or later. For Drupal Core versions prior to 8.9.9, update to version 8.9.9 or later. For Drupal Core versions prior to 8.8.11, update to version 8.8.11 or later. For Drupal Core versions prior to 7.74, update to version 7.74 or later. As a temporary workaround, consider restricting the upload of files to minimize the risk of exploitation. Avoid using the vulnerable file upload functionality until the issue is resolved.