-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI
PHPPHPMiggo AIRoot Cause AnalysisThe vulnerability stems from improper output escaping in form element processing. Drupal's Textfield form element processes the #pattern attribute through processPattern() method, which in vulnerable versions did not apply proper HTML escaping. This allowed attackers to inject arbitrary JavaScript via the pattern attribute. The security advisory SA-CORE-2020-009 specifically addresses XSS in form rendering, and historical patch analysis shows escaping was added to Textfield::processPattern in the fixed versions.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| drupal/core | composer | >= 8.8.0, < 8.8.10 | 8.8.10 |
| drupal/core | composer | >= 8.9.0, < 8.9.6 | 8.9.6 |
| drupal/core | composer | >= 9.0.0, < 9.0.6 | 9.0.6 |
Ongoing coverage of React2Shell