CVE-2020-13672

Description

Cross-site Scripting (XSS) vulnerability in Drupal core's sanitization API fails to properly filter cross-site scripting under certain circumstances. This issue affects: Drupal Core 9.1.x versions prior to 9.1.7; 9.0.x versions prior to 9.0.12; 8.9.x versions prior to 8.9.14; 7.x versions prior to 7.80.

How to fix CVE-2020-13672

To remediate CVE-2020-13672, upgrade the affected package to a fixed version below.

• —upgrade to 7.80.0 or later
• —upgrade to 7.52-2+deb9u15 or later
• —upgrade to 8.9.14 or later
• —upgrade to 7.80 or later
• —upgrade to 7.80 or later

Is CVE-2020-13672 being exploited?

Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.

Affected packages (5)

• from 0, < 7.80.0, >= 8.9.0, < 8.9.14, >= 9.0.0, < 9.0.12, >= 9.1.0, < 9.1.7
• from 0, < 7.52-2+deb9u15
• >= 8.0.0, < 8.9.14 | >= 9.0.0, < 9.0.12 | >= 9.1.0, < 9.1.7
• >= 7.0.0, < 7.80
• >= 7.0.0, < 7.80

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-13672
• PATCHgithub.com/drupal/core
• WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2020-13672.yaml
• WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2020-13672.yaml