Checkmarx identified a document object model-based cross-site scripting (DOM XSS) vulnerability in Drupal Core.
As part of our ongoing mission to help organizations develop and deploy more secure software and applications, and in light of Checkmarx’s expanded insight into the open source security landscape with its recently launched SCA solution, the Checkmarx Security Research Team analyzed including enterprise and government sites worldwide. Drupal just recently released two major versions, which piqued our researchers’ interest. Once the team got to work on the two latest versions of Drupal, they quickly found that both versions were vulnerable to being exploited. Later, it is was confirmed by Drupal that every maintained version of Drupal (7.x, 8.8.x, 8.9.x) were easily exploitable by the same techniques. These issues were discovered by Dor Tumarkin of the Checkmarx Security Research Team. Drupal acknowledged and patched the vulnerability, assigning it CVE-2020-13663. More information can be found below and on their security advisories page. The Checkmarx Security Research Team identified a document object model-based cross-site scripting (DOM XSS for short) vulnerability in Drupal Core. This type of XSS attack is achievable if a web application enters data to the DOM without being appropriately sanitized. In this case, an attacker can manipulate their input data to include XSS content on the web page, for example, malicious JavaScript code, which in-turn would be consumed by Drupal Core itself.
