diff --git a/CHANGELOG.txt b/CHANGELOG.txt
index f56fd2b48..4f438e7b4 100644
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -1,3 +1,8 @@
+Drupal 7.72, 2020-06-17
+-----------------------
+- Fixed security issues:
+   - SA-CORE-2020-004
+
 Drupal 7.71, 2020-06-03
 -----------------------
 - Fix for jQuery Form bug in Chromium-based browsers
diff --git a/LUGGAGE_CHANGELOG.txt b/LUGGAGE_CHANGELOG.txt
index e076c65de..1cb491512 100644
--- a/LUGGAGE_CHANGELOG.txt
+++ b/LUGGAGE_CHANGELOG.txt
@@ -2,6 +2,11 @@ How to read this changelog:
 
 The LUGG- prefix refers to JIRA issue numbers; the # prefix refers to GitHub issue numbers.
 
+Luggage 3.6.13, 2020-06-17
+Drupal 7.72, 2020-06-17
+-------------------------
+- LUGG-1214 - Drupal 7.72 SA-CORE-2020-004
+
 Luggage 3.6.12, 2020-06-09
 Drupal 7.71, 2020-06-03
 -------------------------
diff --git a/LUGGAGE_ISU_CHANGELOG.txt b/LUGGAGE_ISU_CHANGELOG.txt
index 1e6dc5063..b338fbb55 100644
--- a/LUGGAGE_ISU_CHANGELOG.txt
+++ b/LUGGAGE_ISU_CHANGELOG.txt
@@ -6,6 +6,12 @@ The Luggage_ISU version number shows the upstream Luggage version it is based on
 as well as the Luggage_ISU version. For example, Luggage_ISU 3.5.0-5.0 is based
 on the upstream Luggage release 3.5.0.
 
+Luggage_ISU 3.6.13-6.13, 2020-06-17
+Drupal 7.72, 2020-06-17
+-------------------------
+Merged with upstream Luggage 3.6.13
+- LUGG-1214 - Drupal 7.72 SA-CORE-2020-004
+
 Luggage_ISU 3.6.12-6.12, 2020-06-09
 Drupal 7.71, 2020-06-03
 -------------------------
diff --git a/LUGGAGE_ISU_VERSION.php b/LUGGAGE_ISU_VERSION.php
index 16e9daba2..7e8fca0af 100644
--- a/LUGGAGE_ISU_VERSION.php
+++ b/LUGGAGE_ISU_VERSION.php
@@ -1,3 +1,3 @@
 <?php
 
-$version = "6.12";
+$version = "6.13";
diff --git a/LUGGAGE_VERSION.php b/LUGGAGE_VERSION.php
index 531f44c86..35f3e78e6 100644
--- a/LUGGAGE_VERSION.php
+++ b/LUGGAGE_VERSION.php
@@ -1,3 +1,3 @@
 <?php
 
-$version = "3.6.12";
+$version = "3.6.13";
diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc
index 3b90774b5..7ac17ab7c 100644
--- a/includes/bootstrap.inc
+++ b/includes/bootstrap.inc
@@ -8,7 +8,7 @@
 /**
  * The current system version.
  */
-define('VERSION', '7.71');
+define('VERSION', '7.72');
 
 /**
  * Core API compatibility.
diff --git a/includes/form.inc b/includes/form.inc
index 6c33de7f9..1158fd031 100644
--- a/includes/form.inc
+++ b/includes/form.inc
@@ -1135,12 +1135,8 @@ function drupal_prepare_form($form_id, &$form, &$form_state) {
  * Helper function to call form_set_error() if there is a token error.
  */
 function _drupal_invalid_token_set_form_error() {
-  $path = current_path();
-  $query = drupal_get_query_parameters();
-  $url = url($path, array('query' => $query));
-
   // Setting this error will cause the form to fail validation.
-  form_set_error('form_token', t('The form has become outdated. Copy any unsaved work in the form below and then <a href="@link">reload this page</a>.', array('@link' => $url)));
+  form_set_error('form_token', t('The form has become outdated. Press the back button, copy any unsaved work in the form, and then reload the page.'));
 }
 
 /**
@@ -1181,6 +1177,11 @@ function drupal_validate_form($form_id, &$form, &$form_state) {
   if (!empty($form['#token'])) {
     if (!drupal_valid_token($form_state['values']['form_token'], $form['#token']) || !empty($form_state['invalid_token'])) {
       _drupal_invalid_token_set_form_error();
+      // Ignore all submitted values.
+      $form_state['input'] = array();
+      $_POST = array();
+      // Make sure file uploads do not get processed.
+      $_FILES = array();
       // Stop here and don't run any further validation handlers, because they
       // could invoke non-safe operations which opens the door for CSRF
       // vulnerabilities.
@@ -1848,6 +1849,9 @@ function form_builder($form_id, &$element, &$form_state) {
           _drupal_invalid_token_set_form_error();
           // This value is checked in _form_builder_handle_input_element().
           $form_state['invalid_token'] = TRUE;
+          // Ignore all submitted values.
+          $form_state['input'] = array();
+          $_POST = array();
           // Make sure file uploads do not get processed.
           $_FILES = array();
         }
diff --git a/modules/file/tests/file.test b/modules/file/tests/file.test
index 849451a55..c8264349d 100644
--- a/modules/file/tests/file.test
+++ b/modules/file/tests/file.test
@@ -409,7 +409,7 @@ class FileManagedFileElementTestCase extends FileFieldTestCase {
           'form_token' => 'invalid token',
         );
         $this->drupalPost($path, $edit, t('Save'));
-        $this->assertText('The form has become outdated. Copy any unsaved work in the form below');
+        $this->assertText('The form has become outdated.');
         $last_fid = $this->getLastFileId();
         $this->assertEqual($last_fid_prior, $last_fid, 'File was not saved when uploaded with an invalid form token.');
 
diff --git a/modules/simpletest/tests/form.test b/modules/simpletest/tests/form.test
index e52c8c42e..d1be69d72 100644
--- a/modules/simpletest/tests/form.test
+++ b/modules/simpletest/tests/form.test
@@ -521,6 +521,9 @@ class FormsTestCase extends DrupalWebTestCase {
     $form_state['values'] = array();
     drupal_prepare_form($form_id, $form, $form_state);
 
+    // Set the CSRF token in the user-provided input.
+    $form_state['input']['form_token'] = $form['form_token']['#default_value'];
+
     // This is the main function we want to test: it is responsible for
     // populating user supplied $form_state['input'] to sanitized
     // $form_state['values'].
@@ -687,7 +690,7 @@ class FormValidationTestCase extends DrupalWebTestCase {
     $this->drupalPost(NULL, $edit, 'Save');
     $this->assertNoFieldByName('name', '#value changed by #validate', 'Form element #value was not altered.');
     $this->assertNoText('Name value: value changed by form_set_value() in #validate', 'Form element value in $form_state was not altered.');
-    $this->assertText('The form has become outdated. Copy any unsaved work in the form below');
+    $this->assertText('The form has become outdated.');
   }
 
   /**