[Security-news] Drupal core - Critical - Cross-site scripting - SA-CORE-2020-009
security-news at drupal.org
security-news at drupal.org
Wed Sep 16 18:17:00 UTC 2020
View online: https://www.drupal.org/sa-core-2020-009
Project: Drupal core [1]
Date: 2020-September-16
Security risk: *Critical* 15∕25
AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Cross-site scripting
CVE IDs: CVE-2020-13668
Description:
Drupal 8 and 9 have a reflected cross-site scripting (XSS) vulnerability
under certain circumstances.
An attacker could leverage the way that HTML is rendered for affected forms
in order to exploit the vulnerability.
Solution:
Install the latest version:
* If you are using Drupal 8.8.x, upgrade to Drupal 8.8.10 [3].
* If you are using Drupal 8.9.x, upgrade to Drupal 8.9.6 [4].
* If you are using Drupal 9.0.x, upgrade to Drupal 9.0.6 [5].
Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive
security coverage. Sites on 8.7.x or earlier should update to 8.8.10.
In addition to updating Drupal core, sites that override
\Drupal\Core\Form\FormBuilder's renderPlaceholderFormAction() and/or
buildFormAction() methods in contrib and/or custom code should ensure that
appropriate sanitization is applied for URLs.
Reported By:
* Nuno Ramos [6]
* markwittens [7]
* Nathan Dentzau [8]
* Marc Addeo [9]
* Alejandro Garza [10]
Fixed By:
* Lee Rowlands [11] of the Drupal Security Team
* David Rothstein [12] of the Drupal Security Team
* Wim Leers [13]
* Vijay Mani [14], provisional member of the Drupal Security Team
* Drew Webber [15] of the Drupal Security Team
* Nathan Dentzau [16]
* Heine [17] of the Drupal Security Team
* Joseph Zhao [18], provisional member of the Drupal Security Team
* Jess [19] of the Drupal Security Team
* Tim Plunkett [20]
[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/drupal/releases/8.8.10
[4] https://www.drupal.org/project/drupal/releases/8.9.6
[5] https://www.drupal.org/project/drupal/releases/9.0.6
[6] https://www.drupal.org/user/3522063
[7] https://www.drupal.org/user/567198
[8] https://www.drupal.org/user/3444913
[9] https://www.drupal.org/user/3312527
[10] https://www.drupal.org/user/153120
[11] https://www.drupal.org/user/395439
[12] https://www.drupal.org/user/124982
[13] https://www.drupal.org/user/99777
[14] https://www.drupal.org/user/93488
[15] https://www.drupal.org/user/255969
[16] https://www.drupal.org/user/3444913
[17] https://www.drupal.org/user/17943
[18] https://www.drupal.org/user/1987218
[19] https://www.drupal.org/user/65776
[20] https://www.drupal.org/user/241634
More information about the Security-news
mailing list