Advertisement
The most serious of the flaws is CVE-2020-13668, a critical XSS issue affecting Drupal 8 and 9. It’s worth noting that Drupal uses the NIST Common Misuse Scoring System to determine security risk levels and critical is the second highest level, after highly critical.
The issue is a reflected XSS and exploitation is only possible under certain circumstances.
“An attacker could leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability,” reads Drupal’s description of the vulnerability, which has been independently reported by several individuals.