Backdrop core - Critical - Remote code execution - SA-CORE-2020-007

Backdrop core - Critical - Remote code execution - SA-CORE-2020-007

Date: Wednesday, Nov 18th, 2020
Security risk: Critical
Advisory ID: BACKDROP-SA-CORE-2020-007
CVE ID: CVE-2020-13671
Vulnerability: Remote Code Execution

Versions affected

  • Backdrop Core 1.17.x versions prior to 1.17.3
  • Backdrop Core 1.16.x versions prior to 1.16.5

Backdrop versions 1.15 and prior do not receive security coverage.


Backdrop core does not properly sanitize certain filenames on uploaded files. This can lead to files being interpreted as the incorrect extension and served as the wrong MIME type, or executed as PHP for certain hosting configurations.


Upgrade your site to the most recent version of Backdrop core. If you are on AltaGrade hosting platform, then just running the brush up backdrop -y && brush updb -y from command line is all you need to take care of the problem.

Otherwise, download available on the Backdrop CMS 1.17.3 release page. See the update instructions, if needed.

Additionally, it's recommended that you audit all previously uploaded files to check for malicious extensions. Look specifically for files that include more than one extension, like .php.txt or .html.gif.

Nick Onom's picture
Nick Onom
Marketing Project Manager
Enthusiastic about all kinds of Open Source applications, AI, bitcoins, but mostly Drupal and Backdrop. For last years has been actively developing AltaGrade's new back-end system.

We value your opinion. Please add your feedback.