Cross Site Request Forgery vulnerability in Drupal Core Form API does not properly handle certain form input from cross-site requests, which can lead to other vulnerabilities.

Affected Packages

Packagist drupal/core

Affected versions: 8.9.0 (fixed in 8.9.1)

Packagist drupal/core

Affected versions: 9.0.0 (fixed in 9.0.1)

Packagist drupal/core

Affected versions: 7.0.0 (fixed in 7.72)

Packagist drupal/core

Affected versions: 8.0.0 (fixed in 8.8.8)

Packagist drupal/drupal

Affected versions: 7.0.0 (fixed in 7.72)

Packagist drupal/drupal

Affected versions: 8.0.0 (fixed in 8.8.8)

Packagist drupal/drupal

Affected versions: 8.9.0 (fixed in 8.9.1)

Packagist drupal/drupal

Affected versions: 9.0.0 (fixed in 9.0.1)

Related CVEs

CVE-2020-13663

Key Information

GHSA ID

GHSA-m648-hpf8-qcjw

Published

May 24, 2022 7:05 PM

Last Modified

February 6, 2024 1:09 PM

CVSS Score

7.5 /10

Primary Ecosystem

Packagist

Primary Package

drupal/core

GitHub Reviewed

✓ Yes

Dataset

Last updated: June 18, 2025 6:25 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.