CVE-2020-13672: Drupal core Cross-site Scripting (XSS) vulnerability

February 12, 2022 (updated May 15, 2024)

Cross-site Scripting (XSS) vulnerability in Drupal core’s sanitization API fails to properly filter cross-site scripting under certain circumstances. This issue affects: Drupal Core 9.1.x versions prior to 9.1.7; 9.0.x versions prior to 9.0.12; 8.9.x versions prior to 8.9.14; 7.x versions prior to 7.80.

References

github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2020-13672.yaml
github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2020-13672.yaml
github.com/advisories/GHSA-3m36-mjwj-352c
github.com/drupal/core
nvd.nist.gov/vuln/detail/CVE-2020-13672
www.drupal.org/sa-core-2021-002

Detect and mitigate CVE-2020-13672 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →