CVE-2020-13666
packagist/drupal/drupal
Cross-site Scripting
A cross-site scripting vulnerability exists in Drupal Core. Drupal AJAX API does not disable JSONP by default, allowing for an XSS attack.
All versions starting from 7.0 before 7.73, all versions starting from 8.8.0 before 8.8.10, all versions starting from 8.9.0 before 8.9.6, all versions starting from 9.0.0 before 9.0.6
Upgrade to version 7.73, 8.8.10, 8.9.6, 9.0.6 or above.
2021-05-10
source |