CVE-2020-13666

Cross-site Scripting in packagist/drupal/drupal

Identifiers

CVE-2020-13666

Package Slug

packagist/drupal/drupal

Vulnerability

Cross-site Scripting

Description

A cross-site scripting vulnerability exists in Drupal Core. Drupal AJAX API does not disable JSONP by default, allowing for an XSS attack.

Affected Versions

All versions starting from 7.0 before 7.73, all versions starting from 8.8.0 before 8.8.10, all versions starting from 8.9.0 before 8.9.6, all versions starting from 9.0.0 before 9.0.6

Solution

Upgrade to version 7.73, 8.8.10, 8.9.6, 9.0.6 or above.

Last Modified

2021-05-10

source