CVE-2020-13669
Description
Cross-site Scripting (XSS) vulnerability in ckeditor of Drupal Core allows attacker to inject XSS. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10.; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-site Scripting (XSS) vulnerability in CKEditor of Drupal Core allows attackers to inject arbitrary JavaScript, affecting versions prior to 8.8.10, 8.9.6, and 9.0.6.
Vulnerability
Cross-site Scripting (XSS) vulnerability in the CKEditor component of Drupal Core allows an attacker to inject arbitrary JavaScript. Affected versions: Drupal Core 8.8.x prior to 8.8.10, 8.9.x prior to 8.9.6, and 9.0.x prior to 9.0.6. [2]
Exploitation
An attacker must be able to submit content that is rendered by CKEditor. This can be achieved through any input field that uses the editor. The attacker crafts a payload containing malicious script, which is stored or reflected and executed in the context of the victim's browser.
Impact
Successful exploitation leads to Cross-site Scripting (XSS), allowing the attacker to execute arbitrary JavaScript in the victim's session. This can result in data theft, session hijacking, or defacement.
Mitigation
Upgrade to Drupal Core version 8.8.10, 8.9.6, or 9.0.6 or later, which contain the fix. No workaround is mentioned; applying the update is recommended.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
drupal/corePackagist | >= 8.0.0, < 8.8.10 | 8.8.10 |
drupal/corePackagist | >= 8.9.0, < 8.9.6 | 8.9.6 |
drupal/corePackagist | >= 9.0.0, < 9.0.6 | 9.0.6 |
drupal/drupalPackagist | >= 8.0.0, < 8.8.10 | 8.8.10 |
drupal/drupalPackagist | >= 8.9.0, < 8.9.6 | 8.9.6 |
drupal/drupalPackagist | >= 9.0.0, < 9.0.6 | 9.0.6 |
Affected products
4- osv-coords3 versions
>= 8.8.0, < 8.8.10+ 2 more
- (no CPE)range: >= 8.8.0, < 8.8.10
- (no CPE)range: >= 8.0.0, < 8.8.10
- (no CPE)range: >= 8.0.0, < 8.8.10
- Drupal/Corev5Range: 8.8.x
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-c533-c843-67h8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-13669ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2020-13669.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2020-13669.yamlghsaWEB
- www.drupal.org/sa-core-2020-010ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.