CVE-2020-13666
published 2021-05-05CVE-2020-13666: Cross-site scripting vulnerability in Drupal Core. Drupal AJAX API does not disable JSONP by default, allowing for an XSS attack. This issue affects: Drupal…
PriorityP430medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
2.93%
85.3th percentile
Cross-site scripting vulnerability in Drupal Core. Drupal AJAX API does not disable JSONP by default, allowing for an XSS attack. This issue affects: Drupal Drupal Core 7.x versions prior to 7.73; 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| drupal | core | >= 7.0.0 < 7.73 | 7.73 |
| drupal | core | >= 8.0.0 < 8.8.10 | 8.8.10 |
| drupal | core | >= 8.8.0 < 8.8.10 | 8.8.10 |
| drupal | core | >= 8.9.0 < 8.9.6 | 8.9.6 |
| drupal | core | >= 9.0.0 < 9.0.6 | 9.0.6 |
| drupal | drupal | >= 7.0 < 7.73 | 7.73 |
| drupal | drupal | >= 7.0.0 < 7.73 | 7.73 |
| drupal | drupal | >= 8.8.0 < 8.8.10 | 8.8.10 |
| drupal | drupal | >= 8.8.0 < 8.8.10 | 8.8.10 |
| drupal | drupal | >= 8.9.0 < 8.9.6 | 8.9.6 |
| drupal | drupal | >= 8.9.0 < 8.9.6 | 8.9.6 |
| drupal | drupal | >= 9.0.0 < 9.0.6 | 9.0.6 |
| drupal | drupal | >= 9.0.0 < 9.0.6 | 9.0.6 |
| drupal | drupal_core | — | — |
| drupal | drupal_core | >= 7.x < 7.73 | 7.73 |
| drupal | drupal_core | >= 8.8.x < 8.8.10 | 8.8.10 |
| drupal | drupal_core | >= 8.9.x < 8.9.6 | 8.9.6 |
| drupal | drupal_core | >= 9.0.x < 9.0.6 | 9.0.6 |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Drupal Core Cross-site scripting vulnerability
osv·2022-05-24
CVE-2020-13666 [MEDIUM] Drupal Core Cross-site scripting vulnerability
Drupal Core Cross-site scripting vulnerability
Cross-site scripting vulnerability in Drupal Core. Drupal AJAX API does not disable JSONP by default, allowing for an XSS attack. This issue affects: Drupal Drupal Core 7.x versions prior to 7.73; 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.
GHSA
Drupal Core Cross-site scripting vulnerability
ghsa·2022-05-24
CVE-2020-13666 [MEDIUM] CWE-79 Drupal Core Cross-site scripting vulnerability
Drupal Core Cross-site scripting vulnerability
Cross-site scripting vulnerability in Drupal Core. Drupal AJAX API does not disable JSONP by default, allowing for an XSS attack. This issue affects: Drupal Drupal Core 7.x versions prior to 7.73; 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.
OSV
CVE-2020-13666: Cross-site scripting vulnerability in Drupal Core
osv·2021-05-05·CVSS 6.1
CVE-2020-13666 [MEDIUM] CVE-2020-13666: Cross-site scripting vulnerability in Drupal Core
Cross-site scripting vulnerability in Drupal Core. Drupal AJAX API does not disable JSONP by default, allowing for an XSS attack. This issue affects: Drupal Drupal Core 7.x versions prior to 7.73; 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.
OSV
CVE-2020-13666: The Drupal AJAX API does not disable JSONP by default, which can lead to cross-site scripting
osv·2020-09-16
CVE-2020-13666 CVE-2020-13666: The Drupal AJAX API does not disable JSONP by default, which can lead to cross-site scripting
The Drupal AJAX API does not disable JSONP by default, which can lead to cross-site scripting.
Drupal
Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2020-007
vendor_drupal·2020-09-16
CVE-2020-13666 [MEDIUM] Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2020-007
Title: Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2020-007
Vulnerability Type: Cross-site scripting
Description: The Drupal AJAX API does not disable JSONP by default, which can lead to cross-site scripting.
Solution: Install the latest version: If you are using Drupal 7.x, upgrade to Drupal 7.73 . If you are using Drupal 8.8.x, upgrade to Drupal 8.8.10 . If you are using Drupal 8.9.x, upgrade to Drupal 8.9.6 . If you are using Drupal 9.0.x, upgrade to Drupal 9.0.6 . Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage. Sites on 8.7.x or earlier should update to 8.8.10. If you were previously relying on Drupal's AJAX API to perform trusted JSONP requests, you'll either need to override the AJAX options to set "jsonp: true" , or
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2020-13666 drupal: AJAX API does not disable JSONP by default leads to XSS
bugzilla·2020-10-14·CVSS 6.1
CVE-2020-13666 [MEDIUM] CVE-2020-13666 drupal: AJAX API does not disable JSONP by default leads to XSS
CVE-2020-13666 drupal: AJAX API does not disable JSONP by default leads to XSS
The Drupal AJAX API does not disable JSONP by default, which can lead to cross-site scripting
Discussion:
Created drupal tracking bugs for this issue:
Affects: epel-all [bug 1888125]
Affects: fedora-all [bug 1888124]
---
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.
Bugzilla
CVE-2020-13666 drupal: AJAX API does not disable JSONP by default leads to XSS [fedora-all]
bugzilla·2020-10-14·CVSS 6.1
CVE-2020-13666 [MEDIUM] CVE-2020-13666 drupal: AJAX API does not disable JSONP by default leads to XSS [fedora-all]
CVE-2020-13666 drupal: AJAX API does not disable JSONP by default leads to XSS [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supp
Bugzilla
CVE-2020-13666 drupal: AJAX API does not disable JSONP by default leads to XSS [epel-all]
bugzilla·2020-10-14·CVSS 6.1
CVE-2020-13666 [MEDIUM] CVE-2020-13666 drupal: AJAX API does not disable JSONP by default leads to XSS [epel-all]
CVE-2020-13666 drupal: AJAX API does not disable JSONP by default leads to XSS [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supporte
2021-05-05
Published