CVE-2020-13668 – drupal/core

Package

Manager: composer
Name: drupal/core
Vulnerable Version: >=8.0.0 <8.8.10 || >=8.9.0 <8.9.6 || >=9.0.0 <9.0.6

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00575 pctl0.67785

Details

Cross-site Scripting in Drupal Core Access Bypass vulnerability in Drupal Core allows for an attacker to leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.

Metadata

Created: 2022-02-12T00:00:47Z
Modified: 2022-02-25T15:33:47Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-m6q5-wv4x-fv6h/GHSA-m6q5-wv4x-fv6h.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-m6q5-wv4x-fv6h
Finding: F008
Auto approve: 1