CVE-2020-13668

MEDIUM

Drupal Core 8.8.0-8.8.9, 8.9.0-8.9.5, 9.0.0-9.0.5 - Cross-Site Scripting via Form HTML Rendering

Title source: llm
STIX 2.1

Description

Access Bypass vulnerability in Drupal Core allows for an attacker to leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.

References (1)

Core 1
Core References
Patch, Vendor Advisory x_refsource_confirm
https://www.drupal.org/sa-core-2020-009

Scores

CVSS v3 6.1
EPSS 0.0022
EPSS Percentile 44.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (3)
drupal/core 8.0.0 - 8.8.10Packagist
drupal/drupal 8.0.0 - 8.8.10Packagist
drupal/drupal 8.8.0 - 8.8.10
Published Feb 11, 2022
Tracked Since Feb 18, 2026