Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2020-13675

Drupal's JSON:API and REST/File modules allow file uploads through their HTTP APIs. The modules do not correctly run all file validation, which causes an access bypass vulnerability. An attacker might be able to upload files that bypass the file validation process implemented by modules on the site.

Published

2022-02-11T16:15:08.367

Last Modified

2024-11-21T05:01:44.453

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 9.8 (CRITICAL)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

10.0

Impact Score

6.4

Weaknesses

Type: Secondary
CWE-284
Type: Primary
CWE-434

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	drupal	drupal	< 8.9.19	Yes
Application	drupal	drupal	< 9.1.13	Yes
Application	drupal	drupal	< 9.2.6	Yes

References

https://www.drupal.org/sa-core-2021-008 Mitigation, Patch, Vendor Advisory ([email protected])
https://www.drupal.org/sa-core-2021-008 Mitigation, Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)