Security advisories: Drupal core – Critical – Remote code execution – SA-CORE-2020-012

Project: 
Date: 
2020-November-18
Vulnerability: 
Remote code execution
CVE IDs: 
CVE-2020-13671
Description: 
Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations.

Solution: 

Install the latest version:

Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage.

Additionally, it’s recommended that you audit all previously uploaded files to check for malicious extensions. Look specifically for files that include more than one extension, like .php.txt or .html.gif.

Reported By: 
Fixed By: