Drupal Core Improper Filename Sanitization Vulnerability Leading to Remote Code Execution

A remote code execution vulnerability exists in Drupal Core due to improper sanitization of certain filenames in uploaded files. This flaw allows files to be misinterpreted as different extensions, potentially leading to incorrect MIME types being served or files being executed as PHP, depending on the hosting configuration. The vulnerability affects multiple Drupal versions: 9.0 (prior to 9.0.8), 8.9 (prior to 8.9.9), 8.8 (prior to 8.8.11), and 7 (prior to 7.74).

Impact

Exploitation of this vulnerability allows for remote code execution on the server where Drupal is hosted.

Remediation

Users can update to Drupal 9.0.8, 8.9.9, 8.8.11, or 7.74. For versions of Drupal 8 prior to 8.8.x, which are end-of-life and do not receive security coverage, no update is available. After updating, it is recommended to audit all previously uploaded files for malicious extensions, paying special attention to files with multiple extensions that could be misinterpreted, as well as certain dangerous file types that should be considered harmful regardless of additional extensions.