Security News > 2020 > September > Information Disclosure, XSS Vulnerabilities Patched in Drupal
Several information disclosure and cross-site scripting vulnerabilities, including one rated critical, have been patched this week in the Drupal content management system.
The most serious of the flaws is CVE-2020-13668, a critical XSS issue affecting Drupal 8 and 9.
Another XSS flaw - this one has been rated moderately critical - impacts Drupal 7, 8 and 9, and is related to the AJAX API not disabling JSONP by default.
A second moderately-critical XSS vulnerability patched this week - this one only impacts Drupal 7 and 8 - is related to the CKEditor image caption functionality built into the Drupal core.
Finally, Drupal is also affected by a moderately-critical vulnerability in the File module that can be exploited to gain access to the metadata of a private file by guessing its ID. Drupal users have also been provided instructions on the steps they may need to take in addition to updating their installations.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-02-11 | CVE-2020-13668 | Cross-site Scripting vulnerability in Drupal Access Bypass vulnerability in Drupal Core allows for an attacker to leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability. | 4.3 |