Drupal has released security updates that fix a Critical XSS bug and 4 other vulnerabilities in multiple versions of Drupal.
A remote attacker could exploit these vulnerabilities to compromise an affected system.
One of the patches addresses a Critical reflected cross-site scripting (XSS) vulnerability CVE-2020-13668. The issue affects certain versions of Drupal 8 and 9.
“An attacker could leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability,” Drupal stated in the advisory.
In addition, Drupal patched the following Moderately Critical vulnerabilities:
- CVE-2020-13666: Drupal AJAX API does not disable JSONP by default, which can lead to cross-site scripting.
- CVE-2020-13669: Drupal core’s built-in CKEditor image caption functionality is vulnerable to XSS.
- CVE-2020-13667: Access bypass vulnerability in Workspaces module.
- CVE-2020-13670: Information disclosure vulnerability in the File module which allows an attacker to gain access to the file metadata of a permanent private file that they do not have access to by guessing the ID of the file.
Each of these issues affect Drupal 8.8.x, 8.9.x and 9.0.x versions, with CVE-2020-13666 also affecting Drupal 7.x.
Finally, system administrators should review each of the advisories to confirm what versions of Drupal are impacted and upgrade to the latest versions as soon as possible.