CVE-2020-13672 - Vulnerability Details

Vendors	Products
Drupal	Drupal

Link	Providers
https://www.drupal.org/sa-core-2021-002

Show plain JSON

{"containers": {"cna": {"affected": [{"product": "Core", "vendor": "Drupal", "versions": [{"lessThan": "9.1.7", "status": "affected", "version": "9.1.x", "versionType": "custom"}, {"lessThan": "9.0.12", "status": "affected", "version": "9.0.x", "versionType": "custom"}, {"lessThan": "8.9.14", "status": "affected", "version": "8.9.x", "versionType": "custom"}, {"lessThan": "7.80", "status": "affected", "version": "7.x", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Cross-site Scripting (XSS) vulnerability in Drupal core's sanitization API fails to properly filter cross-site scripting under certain circumstances. This issue affects: Drupal Core 9.1.x versions prior to 9.1.7; 9.0.x versions prior to 9.0.12; 8.9.x versions prior to 8.9.14; 7.x versions prior to 7.80."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Cross-site Scripting (XSS)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-02-11T15:30:12", "orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.drupal.org/sa-core-2021-002"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@drupal.org", "ID": "CVE-2020-13672", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Core", "version": {"version_data": [{"version_affected": "<", "version_name": "9.1.x", "version_value": "9.1.7"}, {"version_affected": "<", "version_name": "9.0.x", "version_value": "9.0.12"}, {"version_affected": "<", "version_name": "8.9.x", "version_value": "8.9.14"}, {"version_affected": "<", "version_name": "7.x", "version_value": "7.80"}]}}]}, "vendor_name": "Drupal"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Cross-site Scripting (XSS) vulnerability in Drupal core's sanitization API fails to properly filter cross-site scripting under certain circumstances. This issue affects: Drupal Core 9.1.x versions prior to 9.1.7; 9.0.x versions prior to 9.0.12; 8.9.x versions prior to 8.9.14; 7.x versions prior to 7.80."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79 Cross-site Scripting (XSS)"}]}]}, "references": {"reference_data": [{"name": "https://www.drupal.org/sa-core-2021-002", "refsource": "CONFIRM", "url": "https://www.drupal.org/sa-core-2021-002"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T12:25:16.383Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.drupal.org/sa-core-2021-002"}]}]}, "cveMetadata": {"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "assignerShortName": "drupal", "cveId": "CVE-2020-13672", "datePublished": "2022-02-11T15:30:12", "dateReserved": "2020-05-28T00:00:00", "dateUpdated": "2024-08-04T12:25:16.383Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{

containers : { »

cna : { »

affected : [ »

0 : { »

product : Core (string)

vendor : Drupal (string)

versions : [ »

0 : { »

lessThan : 9.1.7 (string)

status : affected (string)

version : 9.1.x (string)

versionType : custom (string)

}

1 : { »

lessThan : 9.0.12 (string)

status : affected (string)

version : 9.0.x (string)

versionType : custom (string)

}

2 : { »

lessThan : 8.9.14 (string)

status : affected (string)

version : 8.9.x (string)

versionType : custom (string)

}

3 : { »

lessThan : 7.80 (string)

status : affected (string)

version : 7.x (string)

versionType : custom (string)

}

]

}

]

descriptions : [ »

0 : { »

lang : en (string)

value : Cross-site Scripting (XSS) vulnerability in Drupal core's sanitization API fails to properly filter cross-site scripting under certain circumstances. This issue affects: Drupal Core 9.1.x versions prior to 9.1.7; 9.0.x versions prior to 9.0.12; 8.9.x versions prior to 8.9.14; 7.x versions prior to 7.80. (string)

}

]

problemTypes : [ »

0 : { »

descriptions : [ »

0 : { »

cweId : CWE-79 (string)

description : CWE-79 Cross-site Scripting (XSS) (string)

lang : en (string)

type : CWE (string)

}

]

}

]

providerMetadata : { »

dateUpdated : 2022-02-11T15:30:12 (string)

orgId : 2c85b837-eb8b-40ed-9d74-228c62987387 (string)

shortName : drupal (string)

}

references : [ »

0 : { »

tags : [ »

0 : x_refsource_CONFIRM (string)

]

url : https://www.drupal.org/sa-core-2021-002 (string)

}

]

x_legacyV4Record : { »

CVE_data_meta : { »

ASSIGNER : security@drupal.org (string)

ID : CVE-2020-13672 (string)

STATE : PUBLIC (string)

}

affects : { »

vendor : { »

vendor_data : [ »

0 : { »

product : { »

product_data : [ »

0 : { »

product_name : Core (string)

version : { »

version_data : [ »

0 : { »

version_affected : < (string)

version_name : 9.1.x (string)

version_value : 9.1.7 (string)

}

1 : { »

version_affected : < (string)

version_name : 9.0.x (string)

version_value : 9.0.12 (string)

}

2 : { »

version_affected : < (string)

version_name : 8.9.x (string)

version_value : 8.9.14 (string)

}

3 : { »

version_affected : < (string)

version_name : 7.x (string)

version_value : 7.80 (string)

}

]

}

]

}

vendor_name : Drupal (string)

}

]

}

data_format : MITRE (string)

data_type : CVE (string)

data_version : 4.0 (string)

description : { »

description_data : [ »

0 : { »

lang : eng (string)

value : Cross-site Scripting (XSS) vulnerability in Drupal core's sanitization API fails to properly filter cross-site scripting under certain circumstances. This issue affects: Drupal Core 9.1.x versions prior to 9.1.7; 9.0.x versions prior to 9.0.12; 8.9.x versions prior to 8.9.14; 7.x versions prior to 7.80. (string)

}

]

}

problemtype : { »

problemtype_data : [ »

0 : { »

description : [ »

0 : { »

lang : eng (string)

value : CWE-79 Cross-site Scripting (XSS) (string)

}

]

}

]

}

references : { »

reference_data : [ »

0 : { »

name : https://www.drupal.org/sa-core-2021-002 (string)

refsource : CONFIRM (string)

url : https://www.drupal.org/sa-core-2021-002 (string)

}

]

}

adp : [ »

0 : { »

providerMetadata : { »

orgId : af854a3a-2127-422b-91ae-364da2661108 (string)

shortName : CVE (string)

dateUpdated : 2024-08-04T12:25:16.383Z (string)

}

title : CVE Program Container (string)

references : [ »

0 : { »

tags : [ »

0 : x_refsource_CONFIRM (string)

1 : x_transferred (string)

]

url : https://www.drupal.org/sa-core-2021-002 (string)

}

]

}

]

}

cveMetadata : { »

assignerOrgId : 2c85b837-eb8b-40ed-9d74-228c62987387 (string)

assignerShortName : drupal (string)

cveId : CVE-2020-13672 (string)

datePublished : 2022-02-11T15:30:12 (string)

dateReserved : 2020-05-28T00:00:00 (string)

dateUpdated : 2024-08-04T12:25:16.383Z (string)

state : PUBLISHED (string)

}

dataType : CVE_RECORD (string)

dataVersion : 5.1 (string)

}

Show plain JSON

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*", "matchCriteriaId": "B9241484-30D0-4A6B-B483-F557297E4374", "versionEndExcluding": "7.80", "vulnerable": true}, {"criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*", "matchCriteriaId": "F06E54AB-656D-4FC5-A3DD-3F8DE1677433", "versionEndExcluding": "8.9.14", "versionStartIncluding": "8.9.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*", "matchCriteriaId": "A134E8FE-7F91-419F-8F41-B0ED9A30CEBF", "versionEndExcluding": "9.0.12", "versionStartIncluding": "9.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*", "matchCriteriaId": "85C471FB-CF19-4A7F-B7BC-08FD71B754A5", "versionEndExcluding": "9.1.7", "versionStartIncluding": "9.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Cross-site Scripting (XSS) vulnerability in Drupal core's sanitization API fails to properly filter cross-site scripting under certain circumstances. This issue affects: Drupal Core 9.1.x versions prior to 9.1.7; 9.0.x versions prior to 9.0.12; 8.9.x versions prior to 8.9.14; 7.x versions prior to 7.80."}, {"lang": "es", "value": "Una vulnerabilidad de tipo Cross-site Scripting (XSS) en la API de saneo del n\u00facleo de Drupal que no filtra apropiadamente las vulnerabilidades de tipo cross-site scripting en determinadas circunstancias. Este problema afecta a: Drupal Core versiones 9.1.x anteriores a la 9.1.7; versiones 9.0.x anteriores a la 9.0.12; versiones 8.9.x anteriores a la 8.9.14; versiones 7.x anteriores a la 7.80"}], "id": "CVE-2020-13672", "lastModified": "2024-11-21T05:01:44.100", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.6, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 4.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-02-11T16:15:08.190", "references": [{"source": "mlhess@drupal.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://www.drupal.org/sa-core-2021-002"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://www.drupal.org/sa-core-2021-002"}], "sourceIdentifier": "mlhess@drupal.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "mlhess@drupal.org", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{

configurations : [ »

0 : { »

nodes : [ »

0 : { »

cpeMatch : [ »

0 : { »

criteria : cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* (string)

matchCriteriaId : B9241484-30D0-4A6B-B483-F557297E4374 (string)

versionEndExcluding : 7.80 (string)

vulnerable : true (boolean)

}

1 : { »

criteria : cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* (string)

matchCriteriaId : F06E54AB-656D-4FC5-A3DD-3F8DE1677433 (string)

versionEndExcluding : 8.9.14 (string)

versionStartIncluding : 8.9.0 (string)

vulnerable : true (boolean)

}

2 : { »

criteria : cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* (string)

matchCriteriaId : A134E8FE-7F91-419F-8F41-B0ED9A30CEBF (string)

versionEndExcluding : 9.0.12 (string)

versionStartIncluding : 9.0.0 (string)

vulnerable : true (boolean)

}

3 : { »

criteria : cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* (string)

matchCriteriaId : 85C471FB-CF19-4A7F-B7BC-08FD71B754A5 (string)

versionEndExcluding : 9.1.7 (string)

versionStartIncluding : 9.1.0 (string)

vulnerable : true (boolean)

}

]

negate : false (boolean)

operator : OR (string)

}

]

}

]

descriptions : [ »

0 : { »

lang : en (string)

value : Cross-site Scripting (XSS) vulnerability in Drupal core's sanitization API fails to properly filter cross-site scripting under certain circumstances. This issue affects: Drupal Core 9.1.x versions prior to 9.1.7; 9.0.x versions prior to 9.0.12; 8.9.x versions prior to 8.9.14; 7.x versions prior to 7.80. (string)

}

1 : { »

lang : es (string)

value : Una vulnerabilidad de tipo Cross-site Scripting (XSS) en la API de saneo del núcleo de Drupal que no filtra apropiadamente las vulnerabilidades de tipo cross-site scripting en determinadas circunstancias. Este problema afecta a: Drupal Core versiones 9.1.x anteriores a la 9.1.7; versiones 9.0.x anteriores a la 9.0.12; versiones 8.9.x anteriores a la 8.9.14; versiones 7.x anteriores a la 7.80 (string)

}

]

id : CVE-2020-13672 (string)

lastModified : 2024-11-21T05:01:44.100 (string)

metrics : { »

cvssMetricV2 : [ »

0 : { »

acInsufInfo : false (boolean)

baseSeverity : LOW (string)

cvssData : { »

accessComplexity : HIGH (string)

accessVector : NETWORK (string)

authentication : NONE (string)

availabilityImpact : NONE (string)

baseScore : 2.6 (number)

confidentialityImpact : NONE (string)

integrityImpact : PARTIAL (string)

vectorString : AV:N/AC:H/Au:N/C:N/I:P/A:N (string)

version : 2.0 (string)

}

exploitabilityScore : 4.9 (number)

impactScore : 2.9 (number)

obtainAllPrivilege : false (boolean)

obtainOtherPrivilege : false (boolean)

obtainUserPrivilege : false (boolean)

source : nvd@nist.gov (string)

type : Primary (string)

userInteractionRequired : true (boolean)

}

]

cvssMetricV31 : [ »

0 : { »

cvssData : { »

attackComplexity : LOW (string)

attackVector : NETWORK (string)

availabilityImpact : NONE (string)

baseScore : 6.1 (number)

baseSeverity : MEDIUM (string)

confidentialityImpact : LOW (string)

integrityImpact : LOW (string)

privilegesRequired : NONE (string)

scope : CHANGED (string)

userInteraction : REQUIRED (string)

vectorString : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (string)

version : 3.1 (string)

}

exploitabilityScore : 2.8 (number)

impactScore : 2.7 (number)

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

published : 2022-02-11T16:15:08.190 (string)

references : [ »

0 : { »

source : mlhess@drupal.org (string)

tags : [ »

0 : Patch (string)

1 : Vendor Advisory (string)

]

url : https://www.drupal.org/sa-core-2021-002 (string)

}

1 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Patch (string)

1 : Vendor Advisory (string)

]

url : https://www.drupal.org/sa-core-2021-002 (string)

}

]

sourceIdentifier : mlhess@drupal.org (string)

vulnStatus : Modified (string)

weaknesses : [ »

0 : { »

description : [ »

0 : { »

lang : en (string)

value : CWE-79 (string)

}

]

source : mlhess@drupal.org (string)

type : Secondary (string)

}

1 : { »

description : [ »

0 : { »

lang : en (string)

value : CWE-79 (string)

}

]

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity High

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity High

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object