This week, corrected at Drupal content management system (CMS) enough cross-site scripting (XSS) errors and vulnerabilities that lead to information disclosure. One of these errors has been identified as critical.
Critical vulnerability is called CVE-2020-13668, is XSS and affects versions Drupal 8 and 9. Exploiting the XSS vulnerability is only possible under certain conditions.
"An attacker could take advantage of the way HTML is executed on the affected forms in order to take advantage of the vulnerability", They say developers of Drupal. The specific error has been reported by many users.
Another XSS vulnerability, which has been rated as quite critical, affects versions Drupal 7, 8 and 9 and is related to API AJAX which does not turn off JSONP by default.
A third XSS vulnerability, of equal severity, affects only Drupal 7 and 8 and is related to “CKEditor image caption ”function which is embedded in the Drupal kernel. Some time ago, some updates were released to address XSS vulnerabilities affecting the CKEditor library.
Developers and administrators sites are also facing a relatively critical error. It affects the experimental Workspaces module, which allows users to create multiple workspaces in one website. There they can edit content before posting it on the live workspace.
"The Workspaces module does not adequately control access rights when switching workspaces. An attacker could see content before the site owner posted it for everyone to see", Explained the developers of Drupal.
As we read in securityweek, the last vulnerability that was fixed affects File module and allows the attacker to acquire access the metadata of a private file, guessing his ID.
It is worth noting that the versions Drupal 8 before 8.8.x is no longer supported and therefore do not receive updates security.