CVE-2020-13666

CWE-79 — Cross-site Scripting (XSS)10 documents6 sources

Severity

6.1MEDIUM

EPSS

0.5%

top 33.54%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Drupal Drupal Core Drupal Drupal Drupal Core

Timeline

PublishedMay 5

Latest updateMay 24

Description

Cross-site scripting vulnerability in Drupal Core. Drupal AJAX API does not disable JSONP by default, allowing for an XSS attack. This issue affects: Drupal Drupal Core 7.x versions prior to 7.73; 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages4 packages

▶Packagistdrupal/core8.0.0 — 8.8.10+4

▶CVEListV5drupal/drupal_core7.x — 7.73+3

▶NVDdrupal/drupal7.0 — 7.73+3

▶Packagistdrupal/drupal7.0.0 — 7.73+3

🔴Vulnerability Details

OSV

Drupal Core Cross-site scripting vulnerability↗2022-05-24

▶

GHSA

Drupal Core Cross-site scripting vulnerability↗2022-05-24

▶

CVEList

CVE-2020-13666: Cross-site scripting vulnerability in Drupal Core↗2021-05-05

▶

OSV

CVE-2020-13666: Cross-site scripting vulnerability in Drupal Core↗2021-05-05

▶

OSV

CVE-2020-13666: The Drupal AJAX API does not disable JSONP by default, which can lead to cross-site scripting↗2020-09-16

▶

📋Vendor Advisories

Drupal

Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2020-007↗2020-09-16

▶

💬Community

Bugzilla

CVE-2020-13666 drupal: AJAX API does not disable JSONP by default leads to XSS↗2020-10-14

▶

Bugzilla

CVE-2020-13666 drupal: AJAX API does not disable JSONP by default leads to XSS [fedora-all]↗2020-10-14

▶

Bugzilla

CVE-2020-13666 drupal: AJAX API does not disable JSONP by default leads to XSS [epel-all]↗2020-10-14

▶