CVE-2020-13672
published 2022-02-11CVE-2020-13672: Cross-site Scripting (XSS) vulnerability in Drupal core's sanitization API fails to properly filter cross-site scripting under certain circumstances. This…
PriorityP425medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.66%
47.0th percentile
Cross-site Scripting (XSS) vulnerability in Drupal core's sanitization API fails to properly filter cross-site scripting under certain circumstances. This issue affects: Drupal Core 9.1.x versions prior to 9.1.7; 9.0.x versions prior to 9.0.12; 8.9.x versions prior to 8.9.14; 7.x versions prior to 7.80.
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| drupal | core | >= 7.0.0 < 7.80 | 7.80 |
| drupal | core | >= 7.x < 7.80 | 7.80 |
| drupal | core | >= 8.0.0 < 8.9.14 | 8.9.14 |
| drupal | core | >= 8.9.x < 8.9.14 | 8.9.14 |
| drupal | core | >= 9.0.0 < 9.0.12 | 9.0.12 |
| drupal | core | >= 9.0.x < 9.0.12 | 9.0.12 |
| drupal | core | >= 9.1.0 < 9.1.7 | 9.1.7 |
| drupal | core | >= 9.1.x < 9.1.7 | 9.1.7 |
| drupal | drupal | < 7.80 | 7.80 |
| drupal | drupal | >= 7.0.0 < 7.80 | 7.80 |
| drupal | drupal | >= 8.0.0 < 8.9.14 | 8.9.14 |
| drupal | drupal | >= 8.9.0 < 8.9.14 | 8.9.14 |
| drupal | drupal | >= 9.0.0 < 9.0.12 | 9.0.12 |
| drupal | drupal | >= 9.0.0 < 9.0.12 | 9.0.12 |
| drupal | drupal | >= 9.1.0 < 9.1.7 | 9.1.7 |
| drupal | drupal | >= 9.1.0 < 9.1.7 | 9.1.7 |
| drupal | drupal_core | — | — |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.02.6LOWAV:N/AC:H/Au:N/C:N/I:P/A:N
osv6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Drupal core Cross-site Scripting (XSS) vulnerability
osv·2022-02-12
CVE-2020-13672 [MEDIUM] Drupal core Cross-site Scripting (XSS) vulnerability
Drupal core Cross-site Scripting (XSS) vulnerability
Cross-site Scripting (XSS) vulnerability in Drupal core's sanitization API fails to properly filter cross-site scripting under certain circumstances. This issue affects: Drupal Core 9.1.x versions prior to 9.1.7; 9.0.x versions prior to 9.0.12; 8.9.x versions prior to 8.9.14; 7.x versions prior to 7.80.
GHSA
Drupal core Cross-site Scripting (XSS) vulnerability
ghsa·2022-02-12
CVE-2020-13672 [MEDIUM] CWE-79 Drupal core Cross-site Scripting (XSS) vulnerability
Drupal core Cross-site Scripting (XSS) vulnerability
Cross-site Scripting (XSS) vulnerability in Drupal core's sanitization API fails to properly filter cross-site scripting under certain circumstances. This issue affects: Drupal Core 9.1.x versions prior to 9.1.7; 9.0.x versions prior to 9.0.12; 8.9.x versions prior to 8.9.14; 7.x versions prior to 7.80.
OSV
CVE-2020-13672: Cross-site Scripting (XSS) vulnerability in Drupal core's sanitization API fails to properly filter cross-site scripting under certain circumstances
osv·2022-02-11·CVSS 6.1
CVE-2020-13672 [MEDIUM] CVE-2020-13672: Cross-site Scripting (XSS) vulnerability in Drupal core's sanitization API fails to properly filter cross-site scripting under certain circumstances
Cross-site Scripting (XSS) vulnerability in Drupal core's sanitization API fails to properly filter cross-site scripting under certain circumstances. This issue affects: Drupal Core 9.1.x versions prior to 9.1.7; 9.0.x versions prior to 9.0.12; 8.9.x versions prior to 8.9.14; 7.x versions prior to 7.80.
OSV
CVE-2020-13672: Drupal core's sanitization API fails to properly filter cross-site scripting under certain circumstances
osv·2021-04-21
CVE-2020-13672 CVE-2020-13672: Drupal core's sanitization API fails to properly filter cross-site scripting under certain circumstances
Drupal core's sanitization API fails to properly filter cross-site scripting under certain circumstances.
Not all sites and users are affected, but configuration changes to prevent the exploit might be impractical and will vary between sites. Therefore, we recommend all sites update to this release as soon as possible.
Drupal
Drupal core - Critical - Cross-site scripting - SA-CORE-2021-002
vendor_drupal·2021-04-21
CVE-2020-13672 [HIGH] Drupal core - Critical - Cross-site scripting - SA-CORE-2021-002
Title: Drupal core - Critical - Cross-site scripting - SA-CORE-2021-002
Vulnerability Type: Cross-site scripting
Description: Drupal core's sanitization API fails to properly filter cross-site scripting under certain circumstances. Not all sites and users are affected, but configuration changes to prevent the exploit might be impractical and will vary between sites. Therefore, we recommend all sites update to this release as soon as possible.
Solution: Install the latest version: If you are using Drupal 9.1, update to Drupal 9.1.7 . If you are using Drupal 9.0, update to Drupal 9.0.12 . If you are using Drupal 8.9, update to Drupal 8.9.14 . If you are using Drupal 7, update to Drupal 7.80 . Versions of Drupal 8 prior to 8.9.x are end-of-life and do not receive security coverage.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2022-02-11
Published