{"id":"CVE-2020-13672","details":"Cross-site Scripting (XSS) vulnerability in Drupal core's sanitization API fails to properly filter cross-site scripting under certain circumstances. This issue affects: Drupal Core 9.1.x versions prior to 9.1.7; 9.0.x versions prior to 9.0.12; 8.9.x versions prior to 8.9.14; 7.x versions prior to 7.80.","aliases":["BIT-drupal-2020-13672","DRUPAL-CORE-2021-002","GHSA-3m36-mjwj-352c"],"modified":"2026-04-10T04:18:43.030230Z","published":"2022-02-11T16:15:08.190Z","references":[{"type":"FIX","url":"https://www.drupal.org/sa-core-2021-002"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/drupal/drupal","events":[{"introduced":"0"},{"fixed":"069f956d68b4dbee470224b21e2c2cab38954725"},{"introduced":"a412ca41cfc0d954fe3cb2dd982dc6ca049b1c70"},{"fixed":"f3512fc3fb6fe1788cfb5a4b169657d46ffdba80"},{"introduced":"d62812dc17ce593beb2ccd4cdbee1a76c95e3fd7"},{"fixed":"d40dbd050e2ef07b9737e5919de11c3ff8d660a6"},{"introduced":"5c6f14f762c9aef87cd2731818386f202ee8463c"},{"fixed":"8a04fee4a8ef8e40cc4507a59031ed336d6eae2e"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"7.80"},{"introduced":"8.9.0"},{"fixed":"8.9.14"},{"introduced":"9.0.0"},{"fixed":"9.0.12"},{"introduced":"9.1.0"},{"fixed":"9.1.7"}]}}],"versions":["1.0","2.0","3.0.1","5.0-beta-1","5.0-beta-2","5.0-rc-1","5.0-rc-2","6.0-beta-1","6.0-beta-2","6.0-beta-3","6.0-beta-4","6.0-rc-1","6.0-rc-2","6.0-rc-3","7.0","7.0-alpha1","7.0-alpha2","7.0-alpha3","7.0-alpha4","7.0-alpha5","7.0-alpha6","7.0-alpha7","7.0-beta1","7.0-beta2","7.0-beta3","7.0-rc-1","7.0-rc-2","7.0-rc-3","7.0-rc-4","7.0-unstable-1","7.0-unstable-10","7.0-unstable-2","7.0-unstable-3","7.0-unstable-4","7.0-unstable-5","7.0-unstable-6","7.0-unstable-7","7.10","7.12","7.14","7.15","7.17","7.22","7.23","7.25","7.28","7.30","7.33","7.36","7.37","7.4","7.40","7.42","7.43","7.50","7.51","7.54","7.55","7.56","7.6","7.61","7.64","7.68","7.7","7.71","7.76","7.77","7.79","7.8","7.9","8.9.0","8.9.11","8.9.12","8.9.13","8.9.2","8.9.3","8.9.4","8.9.5","8.9.8","9.0.0","9.0.10","9.0.11","9.0.2","9.0.3","9.0.5","9.1.0","9.1.1","9.1.2","9.1.4","9.1.5","9.1.6","start"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-13672.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}