CVE-2020-13666
packagist/drupal/core
Cross-site Scripting
A cross-site scripting vulnerability exists in Drupal Core. Drupal AJAX API does not disable JSONP by default, allowing for an XSS attack.
All versions starting from 7.0 before 7.73, all versions starting from 8.8.0 before 8.8.10, all versions starting from 8.9.0 before 8.9.6, all versions starting from 9.0.0 before 9.0.6
Upgrade to versions 7.73, 8.8.10, 8.9.6, 9.0.6 or above.
2021-05-10
source |