Fluid Attacks Database

Description

Drupal Core Cross-site scripting vulnerability Cross-site scripting vulnerability in Drupal Core. Drupal AJAX API does not disable JSONP by default, allowing for an XSS attack. This issue affects: Drupal Drupal Core 7.x versions prior to 7.73; 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
packagist	drupal/core-recommended	>=7.0 <7.73 \|\| >=8.8.0 <8.8.10 \|\| >=8.9.0 <8.9.6 \|\| >=9.0.0 <9.0.6	8.0.0, 8.8.10, 8.9.6, 9.0.6
packagist	drupal/core	>=8.8.0 <8.8.10 \|\| >=8.9.0 <8.9.6 \|\| >=9.0.0 <9.0.6 \|\| >=7.0.0 <7.73	8.8.10, 8.9.6, 9.0.6, 7.73
packagist	drupal/drupal	>=7.0.0 <7.73 \|\| >=8.8.0 <8.8.10 \|\| >=8.9.0 <8.9.6 \|\| >=9.0.0 <9.0.6	7.73, 8.8.10, 8.9.6, 9.0.6

Aliases

1. CVE-2020-136662. NVD-2020-136663. OSV-2020-136664. GCVE-2020-13666

References

1. https://www.drupal.org/sa-core-2020-0072. https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2020-13666.yaml3. https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2020-13666.yaml