View online: https://www.drupal.org/sa-core-2021-006 Project: Drupal core [1] Date: 2021-September-15 Security risk: *Moderately critical* 10∕25 AC:Basic/A:User/CI:None/II:Some/E:Theoretical/TD:Default [2] Vulnerability: Cross Site Request Forgery CVE IDs: CVE-2020-13673 Description:  The Drupal core Media module provides a filter to allow embedding internal and external media in content fields. In certain circumstances, the filter could allow an unprivileged user to inject HTML into a page when it is accessed by a trusted user with permission to embed media. In some cases, this could lead to cross-site scripting. This advisory is not covered by Drupal Steward [3]. Also see Entity Embed - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2021-028 [4] which addresses a similar vulnerability for that module. Solution:  Install the latest version: * If you are using Drupal 9.2, update to Drupal 9.2.6 [5]. * If you are using Drupal 9.1, update to Drupal 9.1.13 [6]. * If you are using Drupal 8.9, update to Drupal 8.9.19 [7]. Versions of Drupal 8 prior to 8.9.x and versions of Drupal 9 prior to 9.1.x are end-of-life and do not receive security coverage. Drupal 7 core is not affected. Reported By:  * Aaron Zinck [8] Fixed By:  * Aaron Zinck [9] * Sean Blommaert [10] * Alex Bronstein [11] of the Drupal Security Team * Marcos Cano [12] * Lee Rowlands [13] of the Drupal Security Team * Adam G-H [14] * Jess [15] of the Drupal Security Team * Drew Webber [16] of the Drupal Security Team * Neil Drumm [17] of the Drupal Security Team * Brian Tofte-Schumacher [18] [1] https://www.drupal.org/project/drupal [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/steward [4] https://www.drupal.org/sa-contrib-2021-028 [5] https://www.drupal.org/project/drupal/releases/9.2.6 [6] https://www.drupal.org/project/drupal/releases/9.1.13 [7] https://www.drupal.org/project/drupal/releases/8.9.19 [8] https://www.drupal.org/user/518662 [9] https://www.drupal.org/user/518662 [10] https://www.drupal.org/user/545912 [11] https://www.drupal.org/user/78040 [12] https://www.drupal.org/user/1288796 [13] https://www.drupal.org/user/395439 [14] https://www.drupal.org/user/205645 [15] https://www.drupal.org/user/65776 [16] https://www.drupal.org/user/255969 [17] https://www.drupal.org/user/3064 [18] https://www.drupal.org/user/3525810