[Security-news] Drupal core - Critical - Cross Site Scripting - SA-CORE-2024-005
security-news at drupal.org
security-news at drupal.org
Wed Nov 20 20:23:48 UTC 2024
View online: https://www.drupal.org/sa-core-2024-005
Project: Drupal core [1]
Date: 2024-November-20
Security risk: *Critical* 17 ∕ 25
AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Cross Site Scripting
Description:
Drupal 7 core's Overlay module doesn't safely handle user input, leading to
reflected cross-site scripting under certain circumstances.
Only sites with the Overlay module enabled are affected by this
vulnerability.
Solution:
Install the latest version:
* If you are using Drupal 7, update to Drupal 7.102 [3]
* Sites may also disable the Overlay module to avoid the issue.
Drupal 10 and Drupal 11 are not affected, as the Overlay module was removed
from Drupal core in Drupal 8.
Reported By:
* Cesar [4]
Fixed By:
* Cesar [5]
* Greg Knaddison [6] of the Drupal Security Team
* Matthew Grill [7]
* Wim Leers [8]
* Drew Webber [9] of the Drupal Security Team
* Ra Mänd [10]
* Fabian Franz [11]
* Juraj Nemec [12] of the Drupal Security Team
Coordinated By:
* Juraj Nemec [13] of the Drupal Security Team
* Greg Knaddison [14] of the Drupal Security Team
* xjm [15] of the Drupal Security Team
[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/drupal/releases/7.102
[4] https://www.drupal.org/user/3546810
[5] https://www.drupal.org/user/3546810
[6] https://www.drupal.org/user/36762
[7] https://www.drupal.org/user/1602706
[8] https://www.drupal.org/user/99777
[9] https://www.drupal.org/user/255969
[10] https://www.drupal.org/user/601534
[11] https://www.drupal.org/user/693738
[12] https://www.drupal.org/user/272316
[13] https://www.drupal.org/user/272316
[14] https://www.drupal.org/user/36762
[15] https://www.drupal.org/u/xjm
More information about the Security-news
mailing list