CVE-2020-13666: XSS
First published: Wed Sep 16 2020(Updated: )
Cross-site scripting vulnerability in Drupal Core. Drupal AJAX API does not disable JSONP by default, allowing for an XSS attack. This issue affects: Drupal Drupal Core 7.x versions prior to 7.73; 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.
Credit: mlhess@drupal.org mlhess@drupal.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/drupal/core | >=7.0.0<7.73>=8.0.0<8.1.0>=8.1.0<8.2.0>=8.2.0<8.3.0>=8.3.0<8.4.0>=8.4.0<8.5.0>=8.5.0<8.6.0>=8.6.0<8.7.0>=8.7.0<8.8.0>=8.8.0<8.8.10>=8.9.0<8.9.6>=9.0.0<9.0.6 | |
| composer/drupal/drupal | >=7.0.0<7.73>=8.0.0<8.1.0>=8.1.0<8.2.0>=8.2.0<8.3.0>=8.3.0<8.4.0>=8.4.0<8.5.0>=8.5.0<8.6.0>=8.6.0<8.7.0>=8.7.0<8.8.0>=8.8.0<8.8.10>=8.9.0<8.9.6>=9.0.0<9.0.6 | |
| Drupal Drupal | >=7.0<7.73 | |
| Drupal Drupal | >=8.8.0<8.8.10 | |
| Drupal Drupal | >=8.9.0<8.9.6 | |
| Drupal Drupal | >=9.0.0<9.0.6 | |
| composer/drupal/drupal | >=9.0.0<9.0.6 | 9.0.6 |
| composer/drupal/drupal | >=8.9.0<8.9.6 | 8.9.6 |
| composer/drupal/drupal | >=8.8.0<8.8.10 | 8.8.10 |
| composer/drupal/drupal | >=7.0.0<7.73 | 7.73 |
| composer/drupal/core | >=7.0.0<7.73 | 7.73 |
| composer/drupal/core | >=9.0.0<9.0.6 | 9.0.6 |
| composer/drupal/core | >=8.9.0<8.9.6 | 8.9.6 |
| composer/drupal/core | >=8.8.0<8.8.10 | 8.8.10 |
| >=7.0<7.73 | ||
| >=8.8.0<8.8.10 | ||
| >=8.9.0<8.9.6 | ||
| >=9.0.0<9.0.6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.drupal.org/sa-core-2020-007
- https://nvd.nist.gov/vuln/detail/CVE-2020-13666
- https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2020-13666.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2020-13666.yaml
- https://github.com/advisories/GHSA-8jj2-x2gc-ggm7 (Advisory)
Frequently Asked Questions
What is CVE-2020-13666?
CVE-2020-13666 is a cross-site scripting vulnerability in Drupal Core.
How does CVE-2020-13666 affect Drupal versions?
CVE-2020-13666 affects Drupal Core 7.x versions prior to 7.73; 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.
What is the severity of CVE-2020-13666?
The severity of CVE-2020-13666 is medium with a CVSS score of 6.1.
How can I fix CVE-2020-13666?
To fix CVE-2020-13666, you need to upgrade Drupal Core to version 7.73 or later for 7.x versions, 8.8.10 or later for 8.8.x versions, 8.9.6 or later for 8.9.x versions, and 9.0.6 or later for 9.0.x versions.
Where can I find more information about CVE-2020-13666?
You can find more information about CVE-2020-13666 on the official Drupal website: https://www.drupal.org/sa-core-2020-007
- collector/friends-of-php
- collector/nvd-index
- agent/type
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-8jj2-x2gc-ggm7
- alias/CVE-2020-13666
- agent/software-canonical-lookup
- agent/weakness
- agent/last-modified-date
- agent/severity
- agent/references
- agent/description
- agent/author
- agent/tags
- agent/softwarecombine
- agent/event
- collector/nvd-cve
- source/NVD
- collector/github-advisory
- package-manager/composer
- vendor/drupal
- canonical/drupal drupal
- version/drupal drupal/7.0
- version/drupal drupal/8.8.0
- version/drupal drupal/8.9.0
- version/drupal drupal/9.0.0