Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0 versions prior to 9.0.8, 8.9 versions prior to 8.9.9, 8.8 versions prior to 8.8.11, and 7 versions prior to 7.74.

- https://www.drupal.org/project/drupal/releases/8.9.11

- https://www.drupal.org/project/drupal/releases/8.9.10

    - https://www.drupal.org/sa-core-2020-013       (CVE-2020-28948 / CVE-2020-28949)

- https://www.drupal.org/project/drupal/releases/8.9.9

    - https://www.drupal.org/sa-core-2020-012       (CVE-2020-13671)

- https://www.drupal.org/project/drupal/releases/8.9.8

- https://www.drupal.org/project/drupal/releases/8.9.7

- https://www.drupal.org/project/drupal/releases/8.9.6

    - https://www.drupal.org/sa-core-2020-011       (CVE-2020-13670)

    - https://www.drupal.org/sa-core-2020-010       (CVE-2020-13669)

    - https://www.drupal.org/sa-core-2020-009       (CVE-2020-13668)

    - https://www.drupal.org/sa-core-2020-008       (CVE-2020-13667)

    - https://www.drupal.org/sa-core-2020-007       (CVE-2020-13666)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Two vulnerabilities were discovered in Drupal, a fully-featured content management framework.

CVE-2020-13666

The Drupal AJAX API did not disable JSONP by default, which could lead to cross-site scripting.

For setups that relied on Drupal's AJAX API for JSONP requests, either JSONP will need to be reenabled, or the jQuery AJAX API will have to be used instead.

See the upstream advisory for more details:
https://www.drupal.org/sa-core-2020-007

CVE-2020-13671

Drupal failed to sanitize filenames on uploaded files, which could lead to those files being served as the wrong MIME type, or being executed depending on the server configuration.

It is also recommended to check previously uploaded files for malicious extensions. For more details see the upstream advisory: https://www.drupal.org/sa-core-2020-012

For Debian 9 stretch, these problems have been fixed in version 7.52-2+deb9u12.

We recommend that you upgrade your drupal7 packages.

For the detailed security status of drupal7 please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/drupal7

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to its self-reported version, the instance of Drupal running on the remote web server is 7.x prior to 7.74, 8.x prior to 8.8.11, 8.9.x prior to 8.9.9, or 9.0.x prior to 9.0.8. It is, therefore, affected by a remote code execution vulnerability in its file upload functionality due to a failure to sanitize filenames. An authenticated, remote attacker can exploit this to execute arbitrary php code under certain hosting configurations.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to its self-reported version, the instance of Drupal running on the remote web server is 7.0.x prior to 7.74, 8.8.x prior to 8.8.11, 8.9.x prior to 8.9.9 or 9.0.x prior to 9.0.8. It is, therefore, affected by a remote code execution due to filenames on uploaded files not properly sanitize.

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
144247	Fedora 32 : drupal8 (2020-d50d74d6f2)	Nessus	Fedora Local Security Checks	high
144225	Fedora 33 : drupal8 (2020-6f1079934c)	Nessus	Fedora Local Security Checks	high
143138	Debian DLA-2458-1 : drupal7 security update	Nessus	Debian Local Security Checks	high
143126	Drupal 7.x < 7.74 / 8.x < 8.8.11 / 8.9.x < 8.9.9 / 9.0.x < 9.0.8 RCE (SA-CORE-2020-012)	Nessus	CGI abuses	high
112661	Drupal 7.x < 7.74 Remote Code Execution	Web App Scanning	Component Vulnerability	high
112660	Drupal 8.8.x < 8.8.11 Remote Code Execution	Web App Scanning	Component Vulnerability	high
112659	Drupal 8.9.x < 8.9.9 Remote Code Execution	Web App Scanning	Component Vulnerability	high
112658	Drupal 9.0.x < 9.0.8 Remote Code Execution	Web App Scanning	Component Vulnerability	high

Detections

Analytics

CVE-2020-13671

high

Tenable Plugins

high

high

high

high

high

high

high

high