CVE-2020-13668 — Cross-site Scripting in Drupal Core

CWE-79 — Cross-site Scripting5 documents4 sources

Severity

6.1MEDIUMNVD

EPSS

0.2%

top 55.04%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Drupal Core Drupal

Timeline

PublishedFeb 11

Latest updateFeb 12

Description

Access Bypass vulnerability in Drupal Core allows for an attacker to leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages4 packages

▶CVEListV5drupal/core8.8.x — 8.8.10+2

▶Packagistdrupal/core8.0.0 — 8.8.10+2

▶NVDdrupal/drupal8.8.0 — 8.8.10+2

▶Packagistdrupal/drupal8.0.0 — 8.8.10+2

Patches

Patch: www.drupal.org ↗Patch: www.drupal.org ↗

🔴Vulnerability Details

OSV

Cross-site Scripting in Drupal Core↗2022-02-12

▶

GHSA

Cross-site Scripting in Drupal Core↗2022-02-12

▶

CVEList

Access bypass in Drupal Core 8/9↗2022-02-11

▶

OSV

CVE-2020-13668: Access Bypass vulnerability in Drupal Core allows for an attacker to leverage the way that HTML is rendered for affected forms in order to exploit the↗2022-02-11

▶