View online: https://www.drupal.org/sa-core-2025-004
Project: Drupal core [1] Date: 2025-March-19 Security risk: *Moderately critical* 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2] Vulnerability: Cross Site Scripting
Affected versions: >= 8.0.0 < 10.3.14 || >= 10.4.0 < 10.4.5 || >= 11.0.0 < 11.0.13 || >= 11.1.0 < 11.1.5 Description: Drupal core Link field attributes are not sufficiently sanitized, which can lead to a Cross Site Scripting vulnerability (XSS).
This vulnerability is mitigated by that fact that an attacker would need to have the ability to add specific attributes to a Link field, which typically requires edit access via core web services, or a contrib or custom module.
Sites with the Link module disabled or that do not use any link fields are not affected.
Solution: Install the latest version:
* If you use Drupal 10.3.x, update to Drupal 10.3.14 [3] * If you use Drupal 10.4.x, update to Drupal 10.4.5 [4] * If you use Drupal 11.0.x, update to Drupal 11.0.13 [5] * If you use Drupal 11.1.x, update to Drupal 11.1.5 [6]
All versions of Drupal prior to 10.3 are end-of-life and do not receive security coverage from the Drupal Security Team.
Reported By: * Samuel Mortenson (samuel.mortenson) [7]
Fixed By: * Benji Fisher (benjifisher) [8] of the Drupal Security Team * Bram Driesen (bramdriesen) [9] Provisional Member of the Drupal Security Team * Alex Bronstein (effulgentsia) [10] * Jen Lampton (jenlampton) [11] Provisional Member of the Drupal Security Team * Lee Rowlands (larowlan) [12] of the Drupal Security Team * Dave Long (longwave) [13] of the Drupal Security Team * Drew Webber (mcdruid) [14] of the Drupal Security Team * Joseph Zhao (pandaski) [15] Provisional Member of the Drupal Security Team * Adam G-H (phenaproxima) [16] * Samuel Mortenson (samuel.mortenson) [17] * Jess (xjm) [18] of the Drupal Security Team
[1] https://www.drupal.org/project/drupal [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/drupal/releases/10.3.14 [4] https://www.drupal.org/project/drupal/releases/10.4.5 [5] https://www.drupal.org/project/drupal/releases/11.0.13 [6] https://www.drupal.org/project/drupal/releases/11.1.5 [7] https://www.drupal.org/u/samuelmortenson [8] https://www.drupal.org/u/benjifisher [9] https://www.drupal.org/u/bramdriesen [10] https://www.drupal.org/u/effulgentsia [11] https://www.drupal.org/u/jenlampton [12] https://www.drupal.org/u/larowlan [13] https://www.drupal.org/u/longwave [14] https://www.drupal.org/u/mcdruid [15] https://www.drupal.org/u/pandaski [16] https://www.drupal.org/u/phenaproxima [17] https://www.drupal.org/u/samuelmortenson [18] https://www.drupal.org/u/xjm