CVE-2020-13669 — Cross-site Scripting in Drupal Core

CWE-79 — Cross-site Scripting7 documents5 sources

Severity

6.1MEDIUMNVD

EPSS

0.2%

top 57.48%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Drupal Core Drupal

Timeline

PublishedFeb 11

Latest updateFeb 12

Description

Cross-site Scripting (XSS) vulnerability in ckeditor of Drupal Core allows attacker to inject XSS. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10.; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages4 packages

▶CVEListV5drupal/core8.8.x — 8.8.10+2

▶Packagistdrupal/core8.0.0 — 8.8.10+2

▶NVDdrupal/drupal8.8.0 — 8.8.10+2

▶Packagistdrupal/drupal8.0.0 — 8.8.10+2

Patches

Patch: www.drupal.org ↗Patch: www.drupal.org ↗

🔴Vulnerability Details

GHSA

Drupal core Cross-site Scripting (XSS) vulnerability in ckeditor↗2022-02-12

▶

OSV

Drupal core Cross-site Scripting (XSS) vulnerability in ckeditor↗2022-02-12

▶

CVEList

CVE-2020-13669: Cross-site Scripting (XSS) vulnerability in ckeditor of Drupal Core allows attacker to inject XSS↗2022-02-11

▶

OSV

CVE-2020-13669: Cross-site Scripting (XSS) vulnerability in ckeditor of Drupal Core allows attacker to inject XSS↗2022-02-11

▶

OSV

CVE-2020-13669: Drupal core's built-in CKEditor image caption functionality is vulnerable to XSS↗2020-09-16

▶

📋Vendor Advisories

Drupal

Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2020-010↗2020-09-16

▶