CVE-2020-13673
11.02.2022, 16:15
The Entity Embed module provides a filter to allow embedding entities in content fields. In certain circumstances, the filter could allow an unprivileged user to inject HTML into a page when it is accessed by a trusted user with permission to embed entities. In some cases, this could lead to cross-site scripting.
| Vendor | Product | Version |
|---|---|---|
| drupal | entity_embed | 8.x-1.0:x |
| drupal | entity_embed | 8.x-1.0:x |
| drupal | entity_embed | 8.x-1.0:x |
| drupal | entity_embed | 8.x-1.0:x |
| drupal | entity_embed | 8.x-1.0:x |
| drupal | entity_embed | 8.x-1.0:x |
| drupal | entity_embed | 8.x-1.0:x |
| drupal | entity_embed | 8.x-1.0:x |
| drupal | entity_embed | 8.x-1.0:x |
| drupal | entity_embed | 8.x-1.1:x |
| drupal | entity_embed | 8.x-1.2:x |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-352 - Cross-Site Request Forgery (CSRF)The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.