Drupal core - Critical - Cross Site Request Forgery - SA-CORE-2020-004

Drupal Security

Project: Drupal core
Date: 2020-June-17
Security risk: Critical 15∕25 
Vulnerability: Cross Site Request Forgery
CVE IDs: CVE-2020-13663


The Drupal core Form API does not properly handle certain form input from cross-site requests, which can lead to other vulnerabilities.


If you are using Drupal 7.x, upgrade to Drupal 7.72.
If you are using Drupal 8.8.x, upgrade to Drupal 8.8.8.
If you are using Drupal 8.9.x, upgrade to Drupal 8.9.1.
If you are using Drupal 9.0.x, upgrade to Drupal 9.0.1.

Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage. Sites on 8.7.x or earlier should update to 8.8.8.

All the websites hosted on AltaGrade which opted to automatic core updates have already been updated.

We value your opinion. Please add your feedback.