According to its self-reported version, the instance of Drupal running on the remote web server is 7.0.x prior to 7.73, 8.8.x prior to 8.8.10, 8.9.x prior to 8.9.6 or 9.0.x prior to 9.0.6. It is, therefore, affected by multilple vulnerabilities :
A Cross-Site Scripting (XSS) due to Drupal AJAX API which does not disable JSONP by default (CVE-2020-13666).
An access bypass due to the Workspaces module which does not sufficiently check access permissions when switching workspaces (CVE-2020-13667).
A Cross-Site Scripting (XSS) (CVE-2020-13668).
A Cross-Site Scripting (XSS) in Drupal core’s built-in CKEditor image caption functionality (CVE-2020-13669).
An information disclosure in the File module (CVE-2020-13670).
Note that the scanner has not tested for these issues but has instead relied only on the application’s self-reported version number.
No source data
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13666
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13667
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13668
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13669
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13670
www.drupal.org/project/drupal/releases/9.0.6
www.drupal.org/sa-core-2020-007
www.drupal.org/sa-core-2020-008
www.drupal.org/sa-core-2020-009
www.drupal.org/sa-core-2020-010
www.drupal.org/sa-core-2020-011