Is CVE-2020-13671 actively exploited?

CVE-2020-13671 has no public evidence of in-the-wild exploitation as of 2025-11-03.

What is the CVSS score for CVE-2020-13671?

CVE-2020-13671 has a CVSS score of 8.8 (HIGH severity). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.

How do I patch CVE-2020-13671?

Patch guidance is available from drupal security advisories. CVEDatabase generates AI-assisted remediation guidance on demand for CVE-2020-13671.

Fix CVE-2020-13671 - HIGH drupal drupal

Q: Which products are affected by CVE-2020-13671?

6 products: drupal drupal, drupal drupal, drupal drupal, drupal drupal, fedoraproject fedora, and 1 more.

Description

Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0 versions prior to 9.0.8, 8.9 versions prior to 8.9.9, 8.8 versions prior to 8.8.11, and 7 versions prior to 7.74.

CVSS Metrics

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector: network
Complexity: low
Privileges: low
User Action: none
Scope: unchanged
Confidentiality: high
Integrity: high
Availability: high
Weaknesses: CWE-434 · Unrestricted File Upload CWE-434 · Unrestricted File Upload

Metadata

Primary Vendor: DRUPAL
Published: 11/20/2020
Last Modified: 11/3/2025
Source: NIST NVD
Note: Verify all details with official vendor sources before applying patches.

Affected Products

drupal : drupaldrupal : drupaldrupal : drupaldrupal : drupalfedoraproject : fedorafedoraproject : fedora

Remediation Guidance

Executive Summary

View on NIST NVD