In Drupal 7 versions prior to 7.65; Drupal 8.6 versions prior to 8.6.13;Drupal 8.5 versions prior to 8.5.14. Under certain circumstances the File module/subsystem allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerability.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| drupal/core(Packagist) | 7.0.0 | 7.65.0 | N/A |
| drupal/core(Packagist) | 8.0.0 | 8.5.14 | N/A |
| drupal/core(Packagist) | 8.6.0 | 8.6.13 | N/A |
| drupal/drupal(Packagist) | 7.0.0 | 7.65.0 | N/A |
| drupal/drupal(Packagist) | 8.0.0 | 8.5.14 | N/A |
| drupal/drupal(Packagist) | 8.6.0 | 8.6.13 | N/A |
CVSS Metrics
