Drupal core - Critical - Cross-site scripting - SA-CORE-2020-009

2020-09-16T00:00:00
ID DRUPAL-SA-CORE-2020-009
Type drupal
Reporter Drupal Security Team
Modified 2020-09-16T00:00:00

Description

Project:

Drupal core

Date:

2020-September-16

Security risk:

Critical 15∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Default

Vulnerability:

Cross-site scripting

CVE IDs:

CVE-2020-13668

Description:

Drupal 8 and 9 have a reflected cross-site scripting (XSS) vulnerability under certain circumstances.

An attacker could leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability.

Solution:

Install the latest version:

  • If you are using Drupal 8.8.x, upgrade to Drupal 8.8.10.
  • If you are using Drupal 8.9.x, upgrade to Drupal 8.9.6.
  • If you are using Drupal 9.0.x, upgrade to Drupal 9.0.6.

Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage. Sites on 8.7.x or earlier should update to 8.8.10.

In addition to updating Drupal core, sites that override \Drupal\Core\Form\FormBuilder's renderPlaceholderFormAction() and/or buildFormAction() methods in contrib and/or custom code should ensure that appropriate sanitization is applied for URLs.

Reported By:

Fixed By: