CVE-2020-13666
N/A
N/A
Summary
Cross-site scripting vulnerability in Drupal Core. Drupal AJAX API does not disable JSONP by default, allowing for an XSS attack. This issue affects: Drupal Drupal Core 7.x versions prior to 7.73; 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Drupal | Drupal Core | 7.x < 7.73 | affected |
| Drupal | Drupal Core | 8.8.x < 8.8.10 | affected |
| Drupal | Drupal Core | 8.9.x < 8.9.6 | affected |
| Drupal | Drupal Core | 9.0.x < 9.0.6 | affected |
Weaknesses
- Cross-site scripting
ADP Enrichment
CVE Program Container
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.