CVE-2020-13688

CWE-79 — Cross-site Scripting (XSS)6 documents5 sources

Severity

6.1MEDIUM

EPSS

0.3%

top 43.25%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Drupal Drupal Core Drupal Drupal Drupal Core

Timeline

PublishedJun 11

Latest updateMay 24

Description

Cross-site scripting vulnerability in l Drupal Core allows an attacker could leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability. This issue affects: Drupal Core 8.8.X versions prior to 8.8.10; 8.9.X versions prior to 8.9.6; 9.0.X versions prior to 9.0.6.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages3 packages

▶Packagistdrupal/core8.8.0 — 8.8.10+3

▶CVEListV5drupal/drupal_core8.8.X — 8.8.10+2

▶NVDdrupal/drupal8.8.0 — 8.8.10+2

Patches

Patch: www.drupal.org ↗Patch: www.drupal.org ↗

🔴Vulnerability Details

OSV

Drupal Core Cross-site scripting vulnerability↗2022-05-24

▶

GHSA

Drupal Core Cross-site scripting vulnerability↗2022-05-24

▶

CVEList

CVE-2020-13688: Cross-site scripting vulnerability in l Drupal Core allows an attacker could leverage the way that HTML is rendered for affected forms in order to exp↗2021-06-11

▶

OSV

CVE-2020-13688: Drupal 8 and 9 have a reflected cross-site scripting (XSS) vulnerability under certain circumstances↗2020-09-16

▶

📋Vendor Advisories

Drupal

Drupal core - Critical - Cross-site scripting - SA-CORE-2020-009↗2020-09-16

▶