File Extension Bypass Vulnerability in Drupal by Acquia
CVE-2024-13311

7.3HIGH

Key Information:

Vendor: Drupal
Status: Allow All File Extensions For File Fields
Vendor: CVE Published:; 9 January 2025

Summary

A security vulnerability exists in Drupal that allows unrestricted file extensions for file fields, potentially enabling unauthorized file uploads. This flaw could result in users being able to upload malicious files that could compromise the integrity of the application. It is critical to monitor and restrict file upload capabilities to maintain the security posture of the Drupal platform. For more details, refer to the announcement on the official Drupal security page.

Affected Version(s)

Allow All File Extensions for file fields *.*

References

https://www.drupal.org/sa-contrib-2024-075

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Jan 9, 2025