Vulnerability relates to how HTML is rendered for certain forms

Drupal patches critical reflected XSS bug and other security flaws

Drupal, the popular open source content management system (CMS), has patched a serious reflected cross-site scripting (XSS) vulnerability, as well as four less severe flaws.

“An attacker could leverage the way that HTML is rendered for affected forms in order to exploit” the XSS bug, according to a security advisory issued by Drupal on (September 16).

The flaw (CVE-2020-13668) is classified as ‘critical’ – the second most severe of four risk categories in the NIST Common Misuse Scoring System used by Drupal.

Drupal, which powers more than 580,000 websites worldwide, has also patched four vulnerabilities classified as ‘moderately critical’, the next tier down by severity.

These include XSS vulnerabilities in CKEditor’s image caption functionality, arising from the Drupal AJAX API’s failure to disable JSONP by default, as well as an information disclosure bug in the file module, and an access bypass flaw in the Workspaces module.


Security patches were incorporated into software updates issued on September 16.

All five flaws affect the Drupal 8 and 9 release lines, with the XSS vulnerability in the Drupal AJAX API also affecting Drupal 7 up to 7.73, the new version that has fixed the problem.

Website administrators running Drupal 8.8.9 or 8.7.9 and earlier should upgrade to Drupal 8.8.10; versions 8.9.5 and below require an update to 8.9.6; and 9.0.5 and older need updates to 9.0.6.

Users of earlier Drupal versions, which have reached their end-of-life and therefore no longer receive updates, should install the latest release line.

The advisory for the reflected XSS flaw also advises: “In addition to updating Drupal core, sites that override \Drupal\Core\Form\FormBuilder's renderPlaceholderFormAction() and/or buildFormAction() methods in contrib and/or custom code should ensure that appropriate sanitization is applied for URLs.”

Refer to the relevant advisory for further advice on handling updates.

The Daily Swig has contacted Drupal for additional technical details and will update the article accordingly.

RELATED Drupal plugs duo of critical security flaws in open source CMS