DRUPAL-CORE-2020-009

See a problem?

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/core/DRUPAL-CORE-2020-009.json

JSON Data

https://api.test.osv.dev/v1/vulns/DRUPAL-CORE-2020-009

Aliases

Published

2020-09-16T16:11:00Z

Modified

2025-12-02T23:13:40.595710Z

Summary

[none]

Details

Drupal 8 and 9 have a reflected cross-site scripting (XSS) vulnerability under certain circumstances.

An attacker could leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability.

References

https://www.drupal.org/sa-core-2020-009

Credits

- Alejandro Garza
- - https://www.drupal.org/user/153120
- Drew Webber
- - https://www.drupal.org/user/255969
- Marc Addeo
- - https://www.drupal.org/user/3312527
- Nathan Dentzau
- - https://www.drupal.org/user/3444913
- Nuno Ramos
- - https://www.drupal.org/user/3522063
- markwittens
- - https://www.drupal.org/user/567198

Affected packages

Packagist / drupal/core

Package

Name: drupal/core
Purl: pkg:composer/drupal/core

Affected ranges

Type

ECOSYSTEM

Events

Introduced

8.0.0

Fixed

8.8.10

Database specific

{
    "constraint": ">= 8.0.0 <8.8.10"
}

Type

ECOSYSTEM

Events

Introduced

8.9.0

Fixed

8.9.6

Database specific

{
    "constraint": ">= 8.9.0 <8.9.6"
}

Type

ECOSYSTEM

Events

Introduced

9.0.0

Fixed

9.0.6

Database specific

{
    "constraint": ">=9.0.0 <9.0.6"
}

Affected versions

8.*

8.0.0

8.0.1

8.0.2

8.0.3

8.0.4

8.0.5

8.0.6

8.1.0-beta1

8.1.0-beta2

8.1.0-rc1

8.1.0

8.1.1

8.1.2

8.1.3

8.1.4

8.1.5

8.1.6

8.1.7

8.1.8

8.1.9

8.1.10

8.2.0-beta1

8.2.0-beta2

8.2.0-beta3

8.2.0-rc1

8.2.0-rc2

8.2.0

8.2.1

8.2.2

8.2.3

8.2.4

8.2.5

8.2.6

8.2.7

8.2.8

8.3.0-alpha1

8.3.0-beta1

8.3.0-rc1

8.3.0-rc2

8.3.0

8.3.1

8.3.2

8.3.3

8.3.4

8.3.5

8.3.6

8.3.7

8.3.8

8.3.9

8.4.0-alpha1

8.4.0-beta1

8.4.0-rc1

8.4.0-rc2

8.4.0

8.4.1

8.4.2

8.4.3

8.4.4

8.4.5

8.4.6

8.4.7

8.4.8

8.5.0-alpha1

8.5.0-beta1

8.5.0-rc1

8.5.0

8.5.1

8.5.2

8.5.3

8.5.4

8.5.5

8.5.6

8.5.7

8.5.8

8.5.9

8.5.10

8.5.11

8.5.12

8.5.13

8.5.14

8.5.15

8.6.0-alpha1

8.6.0-beta1

8.6.0-beta2

8.6.0-rc1

8.6.0

8.6.1

8.6.2

8.6.3

8.6.4

8.6.5

8.6.6

8.6.7

8.6.8

8.6.9

8.6.10

8.6.11

8.6.12

8.6.13

8.6.14

8.6.15

8.6.16

8.6.17

8.6.18

8.7.0-alpha1

8.7.0-alpha2

8.7.0-beta1

8.7.0-beta2

8.7.0-rc1

8.7.0

8.7.1

8.7.2

8.7.3

8.7.4

8.7.5

8.7.6

8.7.7

8.7.8

8.7.9

8.7.10

8.7.11

8.7.12

8.7.13

8.7.14

8.8.0-alpha1

8.8.0-beta1

8.8.0-rc1

8.8.0

8.8.1

8.8.2

8.8.3

8.8.4

8.8.5

8.8.6

8.8.7

8.8.8

8.8.9

8.9.0

8.9.1

8.9.2

8.9.3

8.9.4

8.9.5

9.*

9.0.0

9.0.1

9.0.2

9.0.3

9.0.4

9.0.5

Database specific

affected_versions

">= 8.0.0 <8.8.10 || >= 8.9.0 <8.9.6 || >=9.0.0 <9.0.6"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/core/DRUPAL-CORE-2020-009.json"