CVE-2020-13673 — Cross-Site Request Forgery in Drupal Entity Embed

CWE-352 — Cross-Site Request Forgery CWE-79 — Cross-site Scripting7 documents5 sources

Severity

6.1MEDIUMNVD

EPSS

0.1%

top 64.61%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Drupal Entity Embed Drupal Core

Timeline

PublishedFeb 11

Latest updateFeb 12

Description

The Entity Embed module provides a filter to allow embedding entities in content fields. In certain circumstances, the filter could allow an unprivileged user to inject HTML into a page when it is accessed by a trusted user with permission to embed entities. In some cases, this could lead to cross-site scripting.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages4 packages

▶CVEListV5drupal/entity_embed8.x — 8.x-1.2

▶Packagistdrupal/entity_embed< 1.2.0

▶NVDdrupal/entity_embed8.x-1.0, 8.x-1.1, 8.x-1.2+2

▶Packagistdrupal/core8.0.0 — 8.9.19+2

Patches

Patch: www.drupal.org ↗Patch: www.drupal.org ↗

🔴Vulnerability Details

GHSA

GHSA-vhmw-c4p7-7jrc: The Entity Embed module provides a filter to allow embedding entities in content fields↗2022-02-12

▶

CVEList

CVE-2020-13673: The Entity Embed module provides a filter to allow embedding entities in content fields↗2022-02-11

▶

OSV

CVE-2020-13673: The Drupal core Media module allows embedding internal and external media in content fields↗2021-09-15

▶

OSV

CVE-2020-13673: This advisory addresses a similar issue to [Drupal core - Moderately critical - Cross Site Request Forgery - SA-CORE-2021-006](https://www↗2021-09-15

▶

📋Vendor Advisories

Drupal

Entity Embed - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2021-028↗2021-09-15

▶

Drupal

Drupal core - Moderately critical - Cross Site Request Forgery - SA-CORE-2021-006↗2021-09-15

▶