Severity Rating: MEDIUM

Software Affected 

•Drupal 7.69

•Drupal 8.7.13

•Drupal  8.8. 5

Overview 

Multiple vulnerabilities have been reported in Drupal that could allow a

remote attacker to execute cross-site scripting and open redirect attacks

on the targeted system. 

Description

1. Cross Site Scripting Vulnerabilities ( CVE-2020-11022   CVE-2020-11023  

) 

These vulnerabilities exist in Drupal core due to improper validation of

user-supplied input by the jQuery DOM manipulation methods. A remote

attacker could exploit this vulnerability by executing script in a

victim¿s Web browser within the security context of the hosting Web site. 

Successful exploitation of this Vulnerability could allow the attacker to

steal the victim¿s cookie-based authentication credential. 

2. Open Redirect Vulnerability 

This vulnerability exist in Drupal core due to insufficient validation of

the destination query parameter in the drupal_goto() function. A remote

attacker could exploit this vulnerability by using a destination query

string in a specially-crafted URL. 

Successful exploitation of this Vulnerability could allow the attacker to

conduct phishing attacks on the targeted system. 

Solution

Apply appropriate updates as mentioned in following URLs: 

https://www.drupal.org/sa-core-2020-002

https://www.drupal.org/sa-core-2020-003

Vendor Information

Drupal

https://www.drupal.org/sa-core-2020-002

https://www.drupal.org/sa-core-2020-003

References

Drupal

https://www.drupal.org/sa-core-2020-002

https://www.drupal.org/sa-core-2020-003

https://exchange.xforce.ibmcloud.com/vulnerabilities/182277

https://exchange.xforce.ibmcloud.com/vulnerabilities/182278

CVE Name

CVE-2020-11022

CVE-2020-11023