{"id":"CVE-2020-13443","details":"ExpressionEngine before 5.3.2 allows remote attackers to upload and execute arbitrary code in a .php%20 file via Compose Msg, Add attachment, and Save As Draft actions. A user with low privileges (member) is able to upload this. It is possible to bypass the MIME type check and file-extension check while uploading new files. Short aliases are not used for an attachment; instead, direct access is allowed to the uploaded files. It is possible to upload PHP only if one has member access, or registration/forum is enabled and one can create a member with the default group id of 5. To exploit this, one must to be able to send and compose messages (at least).","modified":"2026-04-11T22:58:22.390515Z","published":"2020-06-24T15:15:11.617Z","references":[{"type":"ADVISORY","url":"https://expressionengine.com/blog"},{"type":"EVIDENCE","url":"https://gist.github.com/mariuszpoplwski/51604d8a6d7d78fffdf590c25e844e09"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/expressionengine/expressionengine","events":[{"introduced":"0"},{"fixed":"82d7d2d68e8b6e4244489b3ce051305e83af8824"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"5.3.2"}],"cpe":"cpe:2.3:a:expressionengine:expressionengine:*:*:*:*:*:*:*:*","source":"CPE_FIELD"}}],"versions":["5.3.1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-13443.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}