CVE-2020-13666: 
PHP vulnerability analysis and mitigation

CVE-2020-13666 is a Cross-Site Scripting (XSS) vulnerability discovered in Drupal Core. The vulnerability exists because the Drupal AJAX API does not disable JSONP by default, which could allow for XSS attacks. This vulnerability affects multiple versions of Drupal Core including 7.x versions prior to 7.73, 8.8.x versions prior to 8.8.10, 8.9.x versions prior to 8.9.6, and 9.0.x versions prior to 9.0.6 (CVE Details).

The vulnerability stems from a security flaw in Drupal Core's AJAX API implementation where JSONP is not disabled by default. This configuration could allow attackers to perform cross-site scripting attacks through the AJAX API (NVD).

The vulnerability could allow attackers to perform cross-site scripting (XSS) attacks against affected Drupal installations. XSS attacks could potentially lead to the execution of malicious scripts in users' browsers in the context of the affected site (Debian Tracker).

Users should upgrade to the following fixed versions: Drupal 7.73 or later for 7.x installations, 8.8.10 or later for 8.8.x installations, 8.9.6 or later for 8.9.x installations, and 9.0.6 or later for 9.0.x installations (Drupal Advisory).