[Security-news] Drupal core - Critical - Cross site scripting - SA-CORE-2025-001
security-news at drupal.org
security-news at drupal.org
Wed Feb 19 18:13:11 UTC 2025
View online: https://www.drupal.org/sa-core-2025-001
Project: Drupal core [1]
Date: 2025-February-19
Security risk: *Critical* 17 ∕ 25
AC:Basic/A:None/CI:Some/II:Some/E:Proof/TD:All [2]
Vulnerability: Cross site scripting
Affected versions: >= 8.0.0 < 10.3.13 || >= 10.4.0 < 10.4.3 || >= 11.0.0 <
11.0.12 || >= 11.1.0 < 11.1.3
Description:
Drupal core doesn't sufficiently filter error messages under certain
circumstances, leading to a reflected Cross Site Scripting vulnerability
(XSS).
Sites are encouraged to update. There are not yet public documented steps to
exploit this, but there may be soon given the nature of this issue.
This issue is being protected by Drupal Steward [3]. Sites that use Drupal
Steward are already protected, but are still encouraged to upgrade in the
near future.
Solution:
Install the latest version:
* If you use Drupal 10.3.x, update to Drupal 10.3.13 [4]
* If you use Drupal 10.4.x, update to Drupal 10.4.3 [5]
* If you use Drupal 11.0.x, update to Drupal 11.0.12 [6]
* If you use Drupal 11.1.x, update to Drupal 11.1.3 [7]
All versions of Drupal 10 prior to 10.3 are end-of-life and do not receive
security coverage. (Drupal 8 [8] and Drupal 9 [9] have both reached
end-of-life.)
Reported By:
* Arne (arkepp) [10]
* bdanin [11]
* Douglas Groene (dgroene) [12]
* Dragos Dumitrescu (dragos-dumi) [13]
* Flo Kosiol (flokosiol) [14]
* Gerardo Cadau (juanramonperez) [15]
* Justin Christoffersen (larsdesigns) [16]
* nuwans [17]
* Sven Decabooter (svendecabooter) [18]
* Will Gunn (wgunn_e) [19]
Fixed By:
* catch (catch) [20] of the Drupal Security Team
* Drew Webber (mcdruid) [21] of the Drupal Security
Team
[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/steward
[4] https://www.drupal.org/project/drupal/releases/10.3.13
[5] https://www.drupal.org/project/drupal/releases/10.4.3
[6] https://www.drupal.org/project/drupal/releases/11.0.12
[7] https://www.drupal.org/project/drupal/releases/11.1.3
[8] https://www.drupal.org/psa-2021-06-29
[9] https://www.drupal.org/psa-2023-11-01
[10] https://www.drupal.org/u/arkepp
[11] https://www.drupal.org/u/bdanin
[12] https://www.drupal.org/u/dgroene
[13] https://www.drupal.org/u/dragos-dumi
[14] https://www.drupal.org/u/flokosiol
[15] https://www.drupal.org/u/juanramonperez
[16] https://www.drupal.org/u/larsdesigns
[17] https://www.drupal.org/u/nuwans
[18] https://www.drupal.org/u/svendecabooter
[19] https://www.drupal.org/u/wgunn_e
[20] https://www.drupal.org/u/catch
[21] https://www.drupal.org/u/mcdruid
More information about the Security-news
mailing list