CVE-2020-13669
published 2022-02-11CVE-2020-13669: Cross-site Scripting (XSS) vulnerability in ckeditor of Drupal Core allows attacker to inject XSS. This issue affects: Drupal Core 8.8.x versions prior to…
PriorityP427medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.63%
45.8th percentile
Cross-site Scripting (XSS) vulnerability in ckeditor of Drupal Core allows attacker to inject XSS. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10.; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| drupal | core | >= 8.0.0 < 8.8.10 | 8.8.10 |
| drupal | core | >= 8.8.x < 8.8.10 | 8.8.10 |
| drupal | core | >= 8.9.0 < 8.9.6 | 8.9.6 |
| drupal | core | >= 8.9.x < 8.9.6 | 8.9.6 |
| drupal | core | >= 9.0.0 < 9.0.6 | 9.0.6 |
| drupal | core | >= 9.0.x < 9.0.6 | 9.0.6 |
| drupal | drupal | >= 8.0.0 < 8.8.10 | 8.8.10 |
| drupal | drupal | >= 8.8.0 < 8.8.10 | 8.8.10 |
| drupal | drupal | >= 8.9.0 < 8.9.6 | 8.9.6 |
| drupal | drupal | >= 8.9.0 < 8.9.6 | 8.9.6 |
| drupal | drupal | >= 9.0.0 < 9.0.6 | 9.0.6 |
| drupal | drupal | >= 9.0.0 < 9.0.6 | 9.0.6 |
| drupal | drupal_core | — | — |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Drupal core Cross-site Scripting (XSS) vulnerability in ckeditor
ghsa·2022-02-12
CVE-2020-13669 [MEDIUM] CWE-79 Drupal core Cross-site Scripting (XSS) vulnerability in ckeditor
Drupal core Cross-site Scripting (XSS) vulnerability in ckeditor
Cross-site Scripting (XSS) vulnerability in ckeditor of Drupal Core allows attacker to inject XSS. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10.; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.
OSV
Drupal core Cross-site Scripting (XSS) vulnerability in ckeditor
osv·2022-02-12
CVE-2020-13669 [MEDIUM] Drupal core Cross-site Scripting (XSS) vulnerability in ckeditor
Drupal core Cross-site Scripting (XSS) vulnerability in ckeditor
Cross-site Scripting (XSS) vulnerability in ckeditor of Drupal Core allows attacker to inject XSS. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10.; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.
OSV
CVE-2020-13669: Cross-site Scripting (XSS) vulnerability in ckeditor of Drupal Core allows attacker to inject XSS
osv·2022-02-11·CVSS 6.1
CVE-2020-13669 [MEDIUM] CVE-2020-13669: Cross-site Scripting (XSS) vulnerability in ckeditor of Drupal Core allows attacker to inject XSS
Cross-site Scripting (XSS) vulnerability in ckeditor of Drupal Core allows attacker to inject XSS. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10.; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.
OSV
CVE-2020-13669: Drupal core's built-in CKEditor image caption functionality is vulnerable to XSS
osv·2020-09-16
CVE-2020-13669 CVE-2020-13669: Drupal core's built-in CKEditor image caption functionality is vulnerable to XSS
Drupal core's built-in CKEditor image caption functionality is vulnerable to XSS.
Drupal
Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2020-010
vendor_drupal·2020-09-16
CVE-2020-13669 [MEDIUM] Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2020-010
Title: Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2020-010
Vulnerability Type: Cross-site scripting
Description: Drupal core's built-in CKEditor image caption functionality is vulnerable to XSS.
Solution: Install the latest version: If you are using Drupal 8.8.x, upgrade to Drupal 8.8.10 . If you are using Drupal 8.9.x, upgrade to Drupal 8.9.6 . If you are using Drupal 9.0.x, upgrade to Drupal 9.0.6 . Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage. Sites on 8.7.x or earlier should update to 8.8.10.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2022-02-11
Published