Description
In Drupal 7 versions prior to 7.65; Drupal 8.6 versions prior to 8.6.13;Drupal 8.5 versions prior to 8.5.14. Under certain circumstances the File module/subsystem allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerability.
Remediation
References
Related Vulnerabilities
Envoy Proxy NULL Pointer Dereference Vulnerability (CVE-2019-18838)
Microsoft SQL Server Other Vulnerability (CVE-2002-0154)
Drupal Core 4.7.x Cross-Site Scripting (4.7.0 - 4.7.4)
WordPress Plugin Flip Slideshow Cross-Site Scripting (2.2)
WordPress Plugin Mailtree Log Mail Cross-Site Scripting (1.0.0)