CVE-2020-13675: Malicious File Upload
First published: Fri Feb 11 2022(Updated: )
Drupal's JSON:API and REST/File modules allow file uploads through their HTTP APIs. The modules do not correctly run all file validation, which causes an access bypass vulnerability. An attacker might be able to upload files that bypass the file validation process implemented by modules on the site.
Credit: mlhess@drupal.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Drupal Drupal | >=8.0.0<8.9.19 | |
| Drupal Drupal | >=9.1.0<9.1.13 | |
| Drupal Drupal | >=9.2.0<9.2.6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2020-13675?
CVE-2020-13675 is a vulnerability in Drupal's JSON:API and REST/File modules that allows for file uploads that bypass file validation.
What is the severity of CVE-2020-13675?
CVE-2020-13675 has a severity rating of 9.8 (Critical).
Which software versions are affected by CVE-2020-13675?
Drupal versions 8.0.0 to 8.9.19, 9.1.0 to 9.1.13, and 9.2.0 to 9.2.6 are affected by CVE-2020-13675.
How does CVE-2020-13675 work?
CVE-2020-13675 allows attackers to upload files that bypass the file validation process implemented by modules on the Drupal site.
How can I fix CVE-2020-13675?
To fix CVE-2020-13675, it is recommended to update to the latest version of Drupal and apply any available patches.
- collector/nvd-index
- agent/references
- agent/severity
- agent/author
- agent/tags
- agent/weakness
- agent/type
- agent/event
- agent/description
- agent/remedy
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- vendor/drupal
- canonical/drupal drupal
- version/drupal drupal/8.0.0
- version/drupal drupal/9.1.0
- version/drupal drupal/9.2.0