CVE-2020-13675

CRITICAL severity · CVSS 9.8 · Improper access control

9.8CVSS CRITICAL

Summary

Drupal's JSON:API and REST/File modules allow file uploads through their HTTP APIs. The modules do not correctly run all file validation, which causes an access bypass vulnerability. An attacker might be able to upload files that bypass the file validation process implemented by modules on the site.

Impact & exploitability

Attack vectorNetwork

Attack complexityLow

Privileges requiredNone

User interactionNone

Confidentiality impactHigh

Integrity impactHigh

Availability impactHigh

Exploit probability (EPSS)1%

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products we track (1)

Drupal

Recommendation

Apply the vendor fix promptly. Open any affected product above for its exact safe version.

Official patch: https://www.drupal.org/sa-core-2021-008 ↗

Additional information

NVD record
https://www.drupal.org/sa-core-2021-008Patch
https://www.drupal.org/sa-core-2021-008Patch