CVE-2020-13688
published 2021-06-11CVE-2020-13688: Cross-site scripting vulnerability in l Drupal Core allows an attacker could leverage the way that HTML is rendered for affected forms in order to exploit the…
PriorityP427medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.66%
47.0th percentile
Cross-site scripting vulnerability in l Drupal Core allows an attacker could leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability. This issue affects: Drupal Core 8.8.X versions prior to 8.8.10; 8.9.X versions prior to 8.9.6; 9.0.X versions prior to 9.0.6.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| drupal | core | >= 8.0.0 < 8.8.10 | 8.8.10 |
| drupal | core | >= 8.8.0 < 8.8.10 | 8.8.10 |
| drupal | core | >= 8.9.0 < 8.9.6 | 8.9.6 |
| drupal | core | >= 9.0.0 < 9.0.6 | 9.0.6 |
| drupal | drupal | >= 8.8.0 < 8.8.10 | 8.8.10 |
| drupal | drupal | >= 8.9.0 < 8.9.6 | 8.9.6 |
| drupal | drupal | >= 9.0.0 < 9.0.6 | 9.0.6 |
| drupal | drupal_core | — | — |
| drupal | drupal_core | >= 8.8.X < 8.8.10 | 8.8.10 |
| drupal | drupal_core | >= 8.9.X < 8.9.6 | 8.9.6 |
| drupal | drupal_core | >= 9.0.X < 9.0.6 | 9.0.6 |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Drupal
Drupal core - Critical - Cross-site scripting - SA-CORE-2020-009
vendor_drupal·2020-09-16
CVE-2020-13688 [HIGH] Drupal core - Critical - Cross-site scripting - SA-CORE-2020-009
Title: Drupal core - Critical - Cross-site scripting - SA-CORE-2020-009
Vulnerability Type: Cross-site scripting
Description: Drupal 8 and 9 have a reflected cross-site scripting (XSS) vulnerability under certain circumstances. An attacker could leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability.
Solution: Install the latest version: If you are using Drupal 8.8.x, upgrade to Drupal 8.8.10 . If you are using Drupal 8.9.x, upgrade to Drupal 8.9.6 . If you are using Drupal 9.0.x, upgrade to Drupal 9.0.6 . Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage. Sites on 8.7.x or earlier should update to 8.8.10. In addition to updating Drupal core, sites that override \Drupal\Core\Form\FormBuilder 's renderPlaceho
OSV
Drupal Core Cross-site scripting vulnerability
osv·2022-05-24
CVE-2020-13688 [MEDIUM] Drupal Core Cross-site scripting vulnerability
Drupal Core Cross-site scripting vulnerability
Cross-site scripting vulnerability in Drupal Core allows an attacker could leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability. This issue affects: Drupal Core 8.8.X versions prior to 8.8.10; 8.9.X versions prior to 8.9.6; 9.0.X versions prior to 9.0.6.
GHSA
Drupal Core Cross-site scripting vulnerability
ghsa·2022-05-24
CVE-2020-13688 [MEDIUM] CWE-79 Drupal Core Cross-site scripting vulnerability
Drupal Core Cross-site scripting vulnerability
Cross-site scripting vulnerability in Drupal Core allows an attacker could leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability. This issue affects: Drupal Core 8.8.X versions prior to 8.8.10; 8.9.X versions prior to 8.9.6; 9.0.X versions prior to 9.0.6.
OSV
CVE-2020-13688: Drupal 8 and 9 have a reflected cross-site scripting (XSS) vulnerability under certain circumstances
osv·2020-09-16
CVE-2020-13688 CVE-2020-13688: Drupal 8 and 9 have a reflected cross-site scripting (XSS) vulnerability under certain circumstances
Drupal 8 and 9 have a reflected cross-site scripting (XSS) vulnerability under certain circumstances.
An attacker could leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2021-06-11
Published