Description
Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0 versions prior to 9.0.8, 8.9 versions prior to 8.9.9, 8.8 versions prior to 8.8.11, and 7 versions prior to 7.74.
Remediation
References
Related Vulnerabilities
IBM RTC Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2017-1725)
Oracle Database Server CVE-2020-2735 Vulnerability (CVE-2020-2735)
WordPress Plugin W3 Total Cache PHP Code Injection (0.9.2.8)
WordPress Plugin Accordion Cross-Site Scripting (2.2.8)
WordPress Plugin Leaflet Maps Marker Pro Multiple Vulnerabilities (1.5.7)