CVE-2020-13675: 
PHP vulnerability analysis and mitigation

Drupal's JSON:API and REST/File modules contain a vulnerability (CVE-2020-13675) related to file upload functionality through their HTTP APIs. The vulnerability was initially identified and assigned on May 28, 2020, with full disclosure occurring in February 2022. The issue affects Drupal core versions 9.2.x before 9.2.6, 9.1.x before 9.1.13, and 8.9.x before 8.9.19 (CERT-FR).

The vulnerability stems from improper implementation of file validation processes in Drupal's JSON:API and REST/File modules. Specifically, these modules fail to correctly execute all necessary file validation checks during the file upload process through their HTTP APIs (NVD). The vulnerability has been classified under CWE-284, which relates to improper access control (NVD CNA).

The vulnerability could allow attackers to bypass the file validation process implemented by modules on the site, potentially leading to unauthorized file uploads. This creates a security bypass vulnerability that could compromise the system's integrity (CVE).

The vulnerability has been addressed in Drupal core versions 9.2.6, 9.1.13, and 8.9.19. Users running versions prior to these releases should upgrade to the respective patched versions. It's important to note that versions of Drupal 8 prior to 8.9.x and versions of Drupal 9 prior to 9.1.x are no longer maintained and must be updated to a supported version to receive security fixes (CERT-FR).