View online: https://www.drupal.org/sa-core-2020-009
Project: Drupal core [1] Date: 2020-September-16 Security risk: *Critical* 15∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Default [2] Vulnerability: Cross-site scripting
CVE IDs: CVE-2020-13668 Description: Drupal 8 and 9 have a reflected cross-site scripting (XSS) vulnerability under certain circumstances.
An attacker could leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability.
Solution: Install the latest version:
* If you are using Drupal 8.8.x, upgrade to Drupal 8.8.10 [3]. * If you are using Drupal 8.9.x, upgrade to Drupal 8.9.6 [4]. * If you are using Drupal 9.0.x, upgrade to Drupal 9.0.6 [5].
Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage. Sites on 8.7.x or earlier should update to 8.8.10.
In addition to updating Drupal core, sites that override \Drupal\Core\Form\FormBuilder's renderPlaceholderFormAction() and/or buildFormAction() methods in contrib and/or custom code should ensure that appropriate sanitization is applied for URLs.
Reported By: * Nuno Ramos [6] * markwittens [7] * Nathan Dentzau [8] * Marc Addeo [9] * Alejandro Garza [10]
Fixed By: * Lee Rowlands [11] of the Drupal Security Team * David Rothstein [12] of the Drupal Security Team * Wim Leers [13] * Vijay Mani [14], provisional member of the Drupal Security Team * Drew Webber [15] of the Drupal Security Team * Nathan Dentzau [16] * Heine [17] of the Drupal Security Team * Joseph Zhao [18], provisional member of the Drupal Security Team * Jess [19] of the Drupal Security Team * Tim Plunkett [20]
[1] https://www.drupal.org/project/drupal [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/drupal/releases/8.8.10 [4] https://www.drupal.org/project/drupal/releases/8.9.6 [5] https://www.drupal.org/project/drupal/releases/9.0.6 [6] https://www.drupal.org/user/3522063 [7] https://www.drupal.org/user/567198 [8] https://www.drupal.org/user/3444913 [9] https://www.drupal.org/user/3312527 [10] https://www.drupal.org/user/153120 [11] https://www.drupal.org/user/395439 [12] https://www.drupal.org/user/124982 [13] https://www.drupal.org/user/99777 [14] https://www.drupal.org/user/93488 [15] https://www.drupal.org/user/255969 [16] https://www.drupal.org/user/3444913 [17] https://www.drupal.org/user/17943 [18] https://www.drupal.org/user/1987218 [19] https://www.drupal.org/user/65776 [20] https://www.drupal.org/user/241634