CVE-2020-13666

Description

Cross-site scripting vulnerability in Drupal Core. Drupal AJAX API does not disable JSONP by default, allowing for an XSS attack. This issue affects: Drupal Drupal Core 7.x versions prior to 7.73; 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.

How to fix CVE-2020-13666

To remediate CVE-2020-13666, upgrade the affected package to a fixed version below.

• —upgrade to 7.73.0 or later
• —upgrade to 7.52-2+deb9u12 or later
• —upgrade to 8.8.10 or later
• —upgrade to 8.8.10 or later
• —upgrade to 7.73 or later

Is CVE-2020-13666 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (5)

• >= 7.0.0, < 7.73.0, >= 8.8.0, < 8.8.10, >= 8.9.0, < 8.9.6, >= 9.0.0, < 9.0.6
• from 0, < 7.52-2+deb9u12
• >= 8.0.0, < 8.8.10 | >= 8.9.0, < 8.9.6 | >= 9.0.0, < 9.0.6
• >= 8.8.0, < 8.8.10
• >= 7.0.0, < 7.73

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-13666
• PATCHgithub.com/drupal/core
• WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2020-13666.yaml
• WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2020-13666.yaml