Miggo Logo

CVE-2020-13688: Drupal Core Cross-site scripting vulnerability

6.1

CVSS Score
3.1

Basic Information

EPSS Score
0.6087%
Published
5/24/2022
Updated
4/23/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
drupal/corecomposer>= 8.8.0, < 8.8.108.8.10
drupal/corecomposer>= 8.9.0, < 8.9.68.9.6
drupal/corecomposer>= 9.0.0, < 9.0.69.0.6

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper output escaping in form element processing. Drupal's Textfield form element processes the #pattern attribute through processPattern() method, which in vulnerable versions did not apply proper HTML escaping. This allowed attackers to inject arbitrary JavaScript via the pattern attribute. The security advisory SA-CORE-2020-009 specifically addresses XSS in form rendering, and historical patch analysis shows escaping was added to Textfield::processPattern in the fixed versions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ross-sit* s*riptin* vuln*r**ility in *rup*l *or* *llows *n *tt**k*r *oul* l*v*r*** t** w*y t**t *TML is r*n**r** *or *****t** *orms in or**r to *xploit t** vuln*r**ility. T*is issu* *****ts: *rup*l *or* *.*.X v*rsions prior to *.*.**; *.*.X v*rsions

Reasoning

T** vuln*r**ility st*ms *rom improp*r output *s**pin* in *orm *l*m*nt pro**ssin*. *rup*l's T*xt*i*l* *orm *l*m*nt pro**ss*s t** #p*tt*rn *ttri*ut* t*rou** `pro**ssP*tt*rn()` m*t*o*, w*i** in vuln*r**l* v*rsions *i* not *pply prop*r *TML *s**pin*. T*i