Drupal core Critical Cross-Site Scripting Vulnerability

By Fortra's Digital Defense

Drupal core Critical Cross-Site Scripting Vulnerability

On September 16th Drupal released a patch for and disclosed a critical reflected cross-site scripting vulnerability in Drupal versions up to 8.8.9/8.9.5/9.0.5 that could allow an attacker to inject arbitrary html scripting, impacting site users. The parameter or location of the vulnerability was not disclosed, and currently no exploits are available.  If using 8.8.x, please patch to 8.8.10.  Previous versions are at end-of-life and will not be receiving any support.  Otherwise, patch to 8.9.6 or 9.0.6 to mitigate the vulnerability. For more information about this vulnerability (CVE-2020-13668), please reference https://www.drupal.org/sa-core-2020-009

Frontline.Cloud will have an unauthenticated check included with the Oct. patch Tuesday release.

Share This