Fluid Attacks Database

Description

Drupal Core Cross-Site Request Forgery (CSRF) vulnerability Cross Site Request Forgery vulnerability in Drupal Core Form API does not properly handle certain form input from cross-site requests, which can lead to other vulnerabilities.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
packagist	drupal/core	>=8.9.0 <8.9.1 \|\| >=9.0.0 <9.0.1 \|\| >=7.0.0 <7.72 \|\| >=8.0.0 <8.8.8	8.9.1, 9.0.1, 7.72, 8.8.8
packagist	drupal/drupal	>=7.0.0 <7.72 \|\| >=8.0.0 <8.8.8 \|\| >=8.9.0 <8.9.1 \|\| >=9.0.0 <9.0.1	7.72, 8.8.8, 8.9.1, 9.0.1

Aliases

1. CVE-2020-136632. NVD-2020-136633. OSV-2020-136634. GCVE-2020-13663

References

1. https://github.com/drupal/core/commit/5f3c4d80fd77df0cfa87722b446db54040d556932. https://github.com/drupal/core/commit/bc3235dcb5570bbda62ef9547e7604ee060b72c63. https://github.com/drupal/core/commit/faf3243c4ce03bbaab386af2b272b363fd0dfddb4. https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2020-13663.yaml5. https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2020-13663.yaml6. https://www.drupal.org/sa-core-2020-004