CVE-2020-13688
Description
Cross-site scripting vulnerability in l Drupal Core allows an attacker could leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability. This issue affects: Drupal Core 8.8.X versions prior to 8.8.10; 8.9.X versions prior to 8.9.6; 9.0.X versions prior to 9.0.6.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Reflected XSS in Drupal core's form rendering allows attackers to inject malicious scripts via crafted URLs.
Vulnerability
Reflected cross-site scripting (XSS) vulnerability in Drupal core's form rendering. Affects Drupal 8.8.x before 8.8.10, 8.9.x before 8.9.6, and 9.0.x before 9.0.6. The bug occurs in how HTML is rendered for certain forms, allowing an attacker to inject arbitrary JavaScript. [2][3]
Exploitation
An attacker can craft a malicious URL that, when visited by an authenticated user with permission to access certain forms, executes the attacker's script. No authentication required for the attacker; they only need to trick a user into clicking the link. [3]
Impact
Successful exploitation leads to arbitrary JavaScript execution in the context of the victim's session. This can result in information disclosure, session hijacking, or unauthorized actions performed on behalf of the victim. [3]
Mitigation
Update Drupal core to 8.8.10, 8.9.6, or 9.0.6 accordingly. Sites on end-of-life versions (8.7.x or earlier) should upgrade to a supported release. Additionally, any custom or contrib code overriding renderPlaceholderFormAction() or buildFormAction() must ensure proper URL sanitization. [3]
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
drupal/corePackagist | >= 8.8.0, < 8.8.10 | 8.8.10 |
drupal/corePackagist | >= 8.9.0, < 8.9.6 | 8.9.6 |
drupal/corePackagist | >= 9.0.0, < 9.0.6 | 9.0.6 |
Affected products
3- osv-coords2 versions
>= 8.8.0, < 8.8.10+ 1 more
- (no CPE)range: >= 8.8.0, < 8.8.10
- (no CPE)range: >= 8.8.0, < 8.8.10
- Drupal/Drupal Corev5Range: 8.8.X
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-qf2g-mrrx-rr5pghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-13688ghsaADVISORY
- www.drupal.org/sa-core-2020-009ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.