Drupal core - Critical - Cross Site Scripting - SA-CORE-2024-005 - Security-news

20 Nov 2024


      View online: https://www.drupal.org/sa-core-2024-005
Project: Drupal core [1]
Date: 2024-November-20
Security risk: *Critical* 17 ∕ 25
AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Cross Site Scripting
Description: 
Drupal 7 core's Overlay module doesn't safely handle user input, leading to
reflected cross-site scripting under certain circumstances.
Only sites with the Overlay module enabled are affected by this
vulnerability.
Solution: 
Install the latest version:
* If you are using Drupal 7, update to Drupal 7.102 [3]
   * Sites may also disable the Overlay module to avoid the issue.
Drupal 10 and Drupal 11 are not affected, as the Overlay module was removed
from Drupal core in Drupal 8.
Reported By: 
   * Cesar  [4]
Fixed By: 
   * Cesar  [5]
   * Greg Knaddison [6] of the Drupal Security Team
   * Matthew Grill [7]
   * Wim Leers [8]
   * Drew Webber [9] of the Drupal Security Team
   * Ra Mänd [10]
   * Fabian Franz [11]
   * Juraj Nemec [12] of the Drupal Security Team
Coordinated By: 
   * Juraj Nemec [13] of the Drupal Security Team
   * Greg Knaddison [14] of the Drupal Security Team
   * xjm [15] of the Drupal Security Team
[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/drupal/releases/7.102
[4] https://www.drupal.org/user/3546810
[5] https://www.drupal.org/user/3546810
[6] https://www.drupal.org/user/36762
[7] https://www.drupal.org/user/1602706
[8] https://www.drupal.org/user/99777
[9] https://www.drupal.org/user/255969
[10] https://www.drupal.org/user/601534
[11] https://www.drupal.org/user/693738
[12] https://www.drupal.org/user/272316
[13] https://www.drupal.org/user/272316
[14] https://www.drupal.org/user/36762
[15] https://www.drupal.org/u/xjm