CVE-2020-13688

MEDIUM6.1EPSS 0.34%

Drupal Core Cross-site scripting vulnerability

Published: 9/16/2020Modified: 12/10/2025

Also known as:GHSA-qf2g-mrrx-rr5pBIT-drupal-2020-13688DRUPAL-CORE-2020-009

Description

Cross-site scripting vulnerability in l Drupal Core allows an attacker could leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability. This issue affects: Drupal Core 8.8.X versions prior to 8.8.10; 8.9.X versions prior to 8.9.6; 9.0.X versions prior to 9.0.6.

Affected packages (3)

Bitnami/drupal>= 8.8.0, < 8.8.10, >= 8.9.0, < 8.9.6, >= 9.0.0, < 9.0.6
Packagist/drupal/core>= 8.0.0, < 8.8.10 | >= 8.9.0, < 8.9.6 | >= 9.0.0, < 9.0.6
Packagist/drupal/core>= 8.8.0, < 8.8.10

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References (3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-13688
PATCHhttps://github.com/drupal/core
WEBhttps://www.drupal.org/sa-core-2020-009