CVE-2020-13673
published 2022-02-11CVE-2020-13673: The Entity Embed module provides a filter to allow embedding entities in content fields. In certain circumstances, the filter could allow an unprivileged user…
PriorityP423medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.26%
16.8th percentile
The Entity Embed module provides a filter to allow embedding entities in content fields. In certain circumstances, the filter could allow an unprivileged user to inject HTML into a page when it is accessed by a trusted user with permission to embed entities. In some cases, this could lead to cross-site scripting.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| drupal | core | >= 8.0.0 < 8.9.19 | 8.9.19 |
| drupal | core | >= 9.1.0 < 9.1.13 | 9.1.13 |
| drupal | core | >= 9.2.0 < 9.2.6 | 9.2.6 |
| drupal | drupal_core | — | — |
| drupal | entity_embed | — | — |
| drupal | entity_embed | — | — |
| drupal | entity_embed | — | — |
| drupal | entity_embed | — | — |
| drupal | entity_embed | >= 0 < 1.2.0 | 1.2.0 |
| drupal | entity_embed | >= 8.x < 8.x-1.2 | 8.x-1.2 |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.02.6LOWAV:N/AC:H/Au:N/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-vhmw-c4p7-7jrc: The Entity Embed module provides a filter to allow embedding entities in content fields
ghsa_unreviewed·2022-02-12
CVE-2020-13673 [MEDIUM] CWE-352 GHSA-vhmw-c4p7-7jrc: The Entity Embed module provides a filter to allow embedding entities in content fields
The Entity Embed module provides a filter to allow embedding entities in content fields. In certain circumstances, the filter could allow an unprivileged user to inject HTML into a page when it is accessed by a trusted user with permission to embed entities. In some cases, this could lead to cross-site scripting.
OSV
CVE-2020-13673: The Drupal core Media module allows embedding internal and external media in content fields
osv·2021-09-15
CVE-2020-13673 CVE-2020-13673: The Drupal core Media module allows embedding internal and external media in content fields
The Drupal core Media module allows embedding internal and external media in content fields. In certain circumstances, the filter could allow an unprivileged user to inject HTML into a page when it is accessed by a trusted user with permission to embed media. In some cases, this could lead to cross-site scripting.
This advisory is not covered by [Drupal Steward](/steward).
Also see [Entity Embed - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2021-028](https://www.drupal.org/sa-contrib-2021-028) which addresses a similar vulnerability for that module.
*Updated 18:15 UTC to clarify text.*
OSV
CVE-2020-13673: This advisory addresses a similar issue to [Drupal core - Moderately critical - Cross Site Request Forgery - SA-CORE-2021-006](https://www
osv·2021-09-15
CVE-2020-13673 CVE-2020-13673: This advisory addresses a similar issue to [Drupal core - Moderately critical - Cross Site Request Forgery - SA-CORE-2021-006](https://www
This advisory addresses a similar issue to [Drupal core - Moderately critical - Cross Site Request Forgery - SA-CORE-2021-006](https://www.drupal.org/sa-core-2021-006).
The Entity Embed module provides a filter to allow embedding entities in content fields. In certain circumstances, the filter could allow an unprivileged user to inject HTML into a page when it is accessed by a trusted user with permission to embed entities. In some cases, this could lead to cross-site scripting.
Drupal
Entity Embed - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2021-028
vendor_drupal·2021-09-15
CVE-2020-13673 [MEDIUM] Entity Embed - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2021-028
Title: Entity Embed - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2021-028
Vulnerability Type: Cross Site Request Forgery
Description: This advisory addresses a similar issue to Drupal core - Moderately critical - Cross Site Request Forgery - SA-CORE-2021-006 . The Entity Embed module provides a filter to allow embedding entities in content fields. In certain circumstances, the filter could allow an unprivileged user to inject HTML into a page when it is accessed by a trusted user with permission to embed entities. In some cases, this could lead to cross-site scripting.
Solution: Install the latest version: If you use the Entity Embed module for Drupal 8 or 9, upgrade to Entity Embed 8.x-1.2 . Drupal 7 versions of Entity Embed do not have a stable release and therefore
Drupal
Drupal core - Moderately critical - Cross Site Request Forgery - SA-CORE-2021-006
vendor_drupal·2021-09-15
CVE-2020-13673 [MEDIUM] Drupal core - Moderately critical - Cross Site Request Forgery - SA-CORE-2021-006
Title: Drupal core - Moderately critical - Cross Site Request Forgery - SA-CORE-2021-006
Vulnerability Type: Cross Site Request Forgery
Description: The Drupal core Media module allows embedding internal and external media in content fields. In certain circumstances, the filter could allow an unprivileged user to inject HTML into a page when it is accessed by a trusted user with permission to embed media. In some cases, this could lead to cross-site scripting. This advisory is not covered by Drupal Steward . Also see Entity Embed - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2021-028 which addresses a similar vulnerability for that module. Updated 18:15 UTC to clarify text.
Solution: Install the latest version: If you are using Drupal 9.2, update to Drupal 9.2.6 . If y
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2022-02-11
Published