{"id":"CVE-2020-13668","details":"Access Bypass vulnerability in Drupal Core allows for an attacker to leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.","aliases":["BIT-drupal-2020-13668","GHSA-m6q5-wv4x-fv6h"],"modified":"2026-04-11T22:58:22.094663Z","published":"2022-02-11T16:15:08.020Z","references":[{"type":"FIX","url":"https://www.drupal.org/sa-core-2020-009"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/drupal/drupal","events":[{"introduced":"f2b59e3ae8097ea01d15c708f1267b73794399c0"},{"fixed":"0acec51a303eeb84302553d51f9ac41e805e9614"},{"introduced":"a412ca41cfc0d954fe3cb2dd982dc6ca049b1c70"},{"fixed":"db320ce405a948090ca031d32531195d85aded4e"},{"introduced":"d62812dc17ce593beb2ccd4cdbee1a76c95e3fd7"},{"fixed":"b6ca29bfc44d6fc243d0e98b425dc31e9187f05a"}],"database_specific":{"cpe":"cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"introduced":"8.8.0"},{"fixed":"8.8.10"},{"introduced":"8.9.0"},{"fixed":"8.9.6"},{"introduced":"9.0.0"},{"fixed":"9.0.6"}]}}],"versions":["8.8.0","8.8.2","8.8.3","8.8.5","8.8.7","8.8.9","8.9.0","8.9.2","8.9.3","8.9.4","8.9.5","9.0.0","9.0.2","9.0.3","9.0.5"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-13668.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}