Drupal core - Critical - Remote code execution - SA-CORE-2020-012

Project: Drupal coreDate: 2020-November-18Security risk: Critical 17∕25 AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:DefaultVulnerability: Remote code executionCVE IDs: CVE-2020-13671Description: Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations.Solution: Install the latest version:

Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage.
Additionally, it's recommended that you audit all previously uploaded files to check for malicious extensions. Look specifically for files that include more than one extension, like .php.txt or .html.gif.Reported By: 

Fixed By: 

Path to article https://www.drupal.org/sa-core-2020-012