Security News > 2020 > September > Information Disclosure, XSS Vulnerabilities Patched in Drupal

Information Disclosure, XSS Vulnerabilities Patched in Drupal
2020-09-17 14:39

Several information disclosure and cross-site scripting vulnerabilities, including one rated critical, have been patched this week in the Drupal content management system.

The most serious of the flaws is CVE-2020-13668, a critical XSS issue affecting Drupal 8 and 9.

Another XSS flaw - this one has been rated moderately critical - impacts Drupal 7, 8 and 9, and is related to the AJAX API not disabling JSONP by default.

A second moderately-critical XSS vulnerability patched this week - this one only impacts Drupal 7 and 8 - is related to the CKEditor image caption functionality built into the Drupal core.

Finally, Drupal is also affected by a moderately-critical vulnerability in the File module that can be exploited to gain access to the metadata of a private file by guessing its ID. Drupal users have also been provided instructions on the steps they may need to take in addition to updating their installations.


News URL

http://feedproxy.google.com/~r/Securityweek/~3/2r-lUdbjnY8/information-disclosure-xss-vulnerabilities-patched-drupal

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2022-02-11 CVE-2020-13668 Cross-site Scripting vulnerability in Drupal
Access Bypass vulnerability in Drupal Core allows for an attacker to leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability.
network
low complexity
drupal CWE-79
6.1

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Drupal 15 0 66 45 14 125