CVE-2020-13672: 
PHP vulnerability analysis and mitigation

A Cross-site Scripting (XSS) vulnerability was identified in Drupal core's sanitization API that fails to properly filter cross-site scripting under certain circumstances. The vulnerability, tracked as CVE-2020-13672, affects multiple versions of Drupal Core including 9.1.x versions prior to 9.1.7, 9.0.x versions prior to 9.0.12, 8.9.x versions prior to 8.9.14, and 7.x versions prior to 7.80 (NVD, CVE).

The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. Under CVSS v2.0, it received a base score of 2.6 (LOW) with the vector string (AV:N/AC:H/Au:N/C:N/I:P/A:N). The vulnerability is classified as CWE-79, which refers to Improper Neutralization of Input During Web Page Generation (NVD).

The vulnerability could potentially allow attackers to execute cross-site scripting attacks, leading to unauthorized access to sensitive information and potential manipulation of web content. The CVSS scores indicate that while user interaction is required, the vulnerability could result in limited confidentiality and integrity impacts (NVD).

Users are advised to upgrade to the following patched versions: Drupal 9.1.7 or later for 9.1.x installations, 9.0.12 or later for 9.0.x installations, 8.9.14 or later for 8.9.x installations, and 7.80 or later for 7.x installations (Drupal Advisory).