[Security-news] Drupal core - Critical - Cross-site scripting - SA-CORE-2021-002
security-news at drupal.org
security-news at drupal.org
Wed Apr 21 16:34:54 UTC 2021
View online: https://www.drupal.org/sa-core-2021-002
Project: Drupal core [1]
Date: 2021-April-21
Security risk: *Critical* 15∕25
AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Cross-site scripting
Description:
Drupal core's sanitization API fails to properly filter cross-site scripting
under certain circumstances.
Not all sites and users are affected, but configuration changes to prevent
the exploit might be impractical and will vary between sites. Therefore, we
recommend all sites update to this release as soon as possible.
Solution:
Install the latest version:
* If you are using Drupal 9.1, update to Drupal 9.1.7 [3].
* If you are using Drupal 9.0, update to Drupal 9.0.12 [4].
* If you are using Drupal 8.9, update to Drupal 8.9.14 [5].
* If you are using Drupal 7, update to Drupal 7.80 [6].
Versions of Drupal 8 prior to 8.9.x are end-of-life and do not receive
security coverage.
Reported By:
* Jasper Mattsson [7]
Fixed By:
* Alex Pott [8] of the Drupal Security Team
* Jasper Mattsson [9]
* Michael Hess [10] of the Drupal Security Team
* Wim Leers [11]
* Heine [12] of the Drupal Security Team
* Peter Wolanin [13] of the Drupal Security Team
* Jess (xjm) [14] of the Drupal Security Team
* Samuel Mortenson [15] of the Drupal Security Team
* nwellnhof [16]
* Alex Bronstein [17] of the Drupal Security Team
* Lee Rowlands [18] of the Drupal Security Team
* Adam G-H [19]
* Drew Webber [20] of the Drupal Security Team
[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/drupal/releases/9.1.7
[4] https://www.drupal.org/project/drupal/releases/9.0.12
[5] https://www.drupal.org/project/drupal/releases/8.9.14
[6] https://www.drupal.org/project/drupal/releases/7.80
[7] https://www.drupal.org/user/521118
[8] https://www.drupal.org/user/157725
[9] https://www.drupal.org/user/521118
[10] https://www.drupal.org/user/102818
[11] https://www.drupal.org/user/99777
[12] https://www.drupal.org/user/17943
[13] https://www.drupal.org/user/49851
[14] https://www.drupal.org/user/65776
[15] https://www.drupal.org/user/2582268
[16] https://www.drupal.org/user/3407764
[17] https://www.drupal.org/user/78040
[18] https://www.drupal.org/user/395439
[19] https://www.drupal.org/user/205645
[20] https://www.drupal.org/user/255969
More information about the Security-news
mailing list