{"cve":{"cve_id":"CVE-2020-13671","is_kev":true,"kev_date_added":"2022-01-18","kev_vendor_project":"Drupal","kev_product":"Drupal core","kev_vulnerability_name":"Drupal core Un-restricted Upload of File","kev_short_description":"Improper sanitization in the extension file names is present in Drupal core.","kev_required_action":"Apply updates per vendor instructions.","kev_due_date":"2022-07-18","kev_known_ransomware":false,"kev_notes":"https://nvd.nist.gov/vuln/detail/CVE-2020-13671","kev_cwes":["CWE-434"],"epss_score":0.04269,"epss_percentile":0.89796,"epss_as_of":"2026-06-23","description":"Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0 versions prior to 9.0.8, 8.9 versions prior to 8.9.9, 8.8 versions prior to 8.8.11, and 7 versions prior to 7.74.","published_at":"2020-11-20T15:40:39Z","last_modified_at":null,"cvss_v3_score":8.8,"cvss_v3_vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","cvss_v3_severity":"HIGH","cvss_v4_score":null,"cvss_v4_vector":null,"cvss_v4_severity":null,"ssvc_decision":null,"ssvc_exploitation":"active","ssvc_automatable":false,"ssvc_technical_impact":"total","cwes":["CWE-434"],"nvd_references":["https://www.drupal.org/sa-core-2020-012","https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT/","https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437/"],"vuln_status":null,"trending_score":null,"is_trending":false,"has_trended":false,"trended_number_one":false,"trending_peak_score":null,"trending_peak_rank":null,"started_trending_at":null,"trended_number_one_at":null,"summary_generated":null,"summary_generated_at":null,"summary_model":null,"created_at":"2026-06-24T00:09:31.350578Z","updated_at":"2026-06-28T23:13:27.585301Z"},"effective_severity":"HIGH","badges":["kev"],"impact_analysis":[],"cvss_v3_decoded":{"version":"3.1","metrics":[{"metric":"AV","name":"Attack Vector","value":"N","value_label":"Network"},{"metric":"AC","name":"Attack Complexity","value":"L","value_label":"Low"},{"metric":"PR","name":"Privileges Required","value":"L","value_label":"Low"},{"metric":"UI","name":"User Interaction","value":"N","value_label":"None"},{"metric":"S","name":"Scope","value":"U","value_label":"Unchanged"},{"metric":"C","name":"Confidentiality","value":"H","value_label":"High"},{"metric":"I","name":"Integrity","value":"H","value_label":"High"},{"metric":"A","name":"Availability","value":"H","value_label":"High"}]},"cvss_v4_decoded":{"version":null,"metrics":[]},"affected":[{"vendor_slug":"drupal","vendor_name":"Drupal","product_slug":"drupal-core","product_name":"Drupal core","version_start":"9.0 versions prior to 9.0.8","version_start_inclusive":true,"version_end":"9.0 versions prior to 9.0.8","version_end_inclusive":true,"cpe23_uri":"cve5:drupal:drupal-core:9.0 versions prior to 9.0.8:9.0 versions prior to 9.0.8"},{"vendor_slug":"drupal","vendor_name":"Drupal","product_slug":"drupal-core","product_name":"Drupal core","version_start":"8.9 versions prior to 8.9.9","version_start_inclusive":true,"version_end":"8.9 versions prior to 8.9.9","version_end_inclusive":true,"cpe23_uri":"cve5:drupal:drupal-core:8.9 versions prior to 8.9.9:8.9 versions prior to 8.9.9"},{"vendor_slug":"drupal","vendor_name":"Drupal","product_slug":"drupal-core","product_name":"Drupal core","version_start":"8.8 versions prior to 8.8.11","version_start_inclusive":true,"version_end":"8.8 versions prior to 8.8.11","version_end_inclusive":true,"cpe23_uri":"cve5:drupal:drupal-core:8.8 versions prior to 8.8.11:8.8 versions prior to 8.8.11"},{"vendor_slug":"drupal","vendor_name":"Drupal","product_slug":"drupal-core","product_name":"Drupal core","version_start":"7 versions prior to 7.74","version_start_inclusive":true,"version_end":"7 versions prior to 7.74","version_end_inclusive":true,"cpe23_uri":"cve5:drupal:drupal-core:7 versions prior to 7.74:7 versions prior to 7.74"}],"exploit_refs":[],"news":[],"references":[{"url":"https://www.drupal.org/sa-core-2020-012","source_type":"MISC","tags":[]},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT/","source_type":"MAILING_LIST","tags":["mailing-list"]},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437/","source_type":"MAILING_LIST","tags":["mailing-list"]}],"timeline":[{"type":"published","at":"2020-11-20T15:40:39Z","label":"CVE published","source":null},{"type":"cisa_reported","at":"2022-01-18T00:00:00Z","label":"Added to CISA KEV catalog","source":"kev"},{"type":"ssvc_changed","at":"2026-06-24T00:31:26.536244Z","label":"SSVC decision revised","source":"vulnrichment"},{"type":"ssvc_changed","at":"2026-06-24T00:31:26.536244Z","label":"SSVC decision revised","source":"vulnrichment"},{"type":"ssvc_changed","at":"2026-06-24T00:31:26.536244Z","label":"SSVC decision revised","source":"vulnrichment"},{"type":"cvss_changed","at":"2026-06-24T00:31:26.536244Z","label":"CVSS score revised","source":"vulnrichment"},{"type":"cvss_changed","at":"2026-06-24T00:31:26.536244Z","label":"CVSS score revised","source":"vulnrichment"},{"type":"cvss_changed","at":"2026-06-24T00:31:26.536244Z","label":"CVSS score revised","source":"vulnrichment"}]}