CVE-2020-13675 — Unrestricted Upload of File with Dangerous Type in Drupal core

Description

Drupal's JSON:API and REST/File modules allow file uploads through their HTTP APIs. The modules do not correctly run all file validation, which causes an access bypass vulnerability. An attacker might be able to upload files that bypass the file validation process implemented by modules on the site.

How to fix CVE-2020-13675

To remediate CVE-2020-13675, upgrade the affected package to a fixed version below.

—upgrade to 8.9.19 or later
—upgrade to 8.9.19 or later
—upgrade to 8.9.19 or later
—upgrade to 4.2.0 or later

Is CVE-2020-13675 being exploited?

Low — EPSS is 0.8%, meaning exploitation activity has not been observed at scale.

Affected packages (4)

>= 8.0.0, < 8.9.19, >= 9.1.0, < 9.1.13, >= 9.2.0, < 9.2.6
>= 8.0.0, < 8.9.19 | >= 9.1.0, < 9.1.13 | >= 9.2.0, < 9.2.6
>= 8.0.0, < 8.9.19
>= 4.0.0, < 4.2.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-13675
PATCHgithub.com/drupal/core
WEBwww.drupal.org/sa-contrib-2021-029
WEBwww.drupal.org/sa-core-2021-008