6.1
CVE-2020-13673
- EPSS 0.25%
- Published 11.02.2022 16:15:08
- Last modified 21.11.2024 05:01:44
- Source mlhess@drupal.org
- Teams watchlist Login
- Open Login
The Entity Embed module provides a filter to allow embedding entities in content fields. In certain circumstances, the filter could allow an unprivileged user to inject HTML into a page when it is accessed by a trusted user with permission to embed entities. In some cases, this could lead to cross-site scripting.
Data is provided by the National Vulnerability Database (NVD)
Drupal ≫ Entity Embed Version8.x-1.0 Update-
Drupal ≫ Entity Embed Version8.x-1.0 Updatealpha1
Drupal ≫ Entity Embed Version8.x-1.0 Updatealpha2
Drupal ≫ Entity Embed Version8.x-1.0 Updatealpha3
Drupal ≫ Entity Embed Version8.x-1.0 Updatebeta1
Drupal ≫ Entity Embed Version8.x-1.0 Updatebeta2
Drupal ≫ Entity Embed Version8.x-1.0 Updatebeta3
Drupal ≫ Entity Embed Version8.x-1.0 Updaterc1
Drupal ≫ Entity Embed Version8.x-1.0 Updaterc2
Drupal ≫ Entity Embed Version8.x-1.1
Drupal ≫ Entity Embed Version8.x-1.2
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.25% | 0.479 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| nvd@nist.gov | 6.1 | 2.8 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
| nvd@nist.gov | 2.6 | 4.9 | 2.9 |
AV:N/AC:H/Au:N/C:N/I:P/A:N
|
CWE-352 Cross-Site Request Forgery (CSRF)
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.