[Security-news] Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2025-004
security-news at drupal.org
security-news at drupal.org
Wed Mar 19 18:54:37 UTC 2025
View online: https://www.drupal.org/sa-core-2025-004
Project: Drupal core [1]
Date: 2025-March-19
Security risk: *Moderately critical* 13 ∕ 25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Cross Site Scripting
Affected versions: >= 8.0.0 < 10.3.14 || >= 10.4.0 < 10.4.5 || >= 11.0.0 <
11.0.13 || >= 11.1.0 < 11.1.5
Description:
Drupal core Link field attributes are not sufficiently sanitized, which can
lead to a Cross Site Scripting vulnerability (XSS).
This vulnerability is mitigated by that fact that an attacker would need to
have the ability to add specific attributes to a Link field, which typically
requires edit access via core web services, or a contrib or custom module.
Sites with the Link module disabled or that do not use any link fields are
not affected.
Solution:
Install the latest version:
* If you use Drupal 10.3.x, update to Drupal 10.3.14 [3]
* If you use Drupal 10.4.x, update to Drupal 10.4.5 [4]
* If you use Drupal 11.0.x, update to Drupal 11.0.13 [5]
* If you use Drupal 11.1.x, update to Drupal 11.1.5 [6]
All versions of Drupal prior to 10.3 are end-of-life and do not receive
security coverage from the Drupal Security Team.
Reported By:
* Samuel Mortenson (samuel.mortenson) [7]
Fixed By:
* Benji Fisher (benjifisher) [8] of the Drupal Security Team
* Bram Driesen (bramdriesen) [9] Provisional Member of the Drupal Security
Team
* Alex Bronstein (effulgentsia) [10]
* Jen Lampton (jenlampton) [11] Provisional Member of the Drupal Security
Team
* Lee Rowlands (larowlan) [12] of the Drupal Security Team
* Dave Long (longwave) [13] of the Drupal Security Team
* Drew Webber (mcdruid) [14] of the Drupal Security Team
* Joseph Zhao (pandaski) [15] Provisional Member of the Drupal Security Team
* Adam G-H (phenaproxima) [16]
* Samuel Mortenson (samuel.mortenson) [17]
* Jess (xjm) [18] of the Drupal Security Team
[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/drupal/releases/10.3.14
[4] https://www.drupal.org/project/drupal/releases/10.4.5
[5] https://www.drupal.org/project/drupal/releases/11.0.13
[6] https://www.drupal.org/project/drupal/releases/11.1.5
[7] https://www.drupal.org/u/samuelmortenson
[8] https://www.drupal.org/u/benjifisher
[9] https://www.drupal.org/u/bramdriesen
[10] https://www.drupal.org/u/effulgentsia
[11] https://www.drupal.org/u/jenlampton
[12] https://www.drupal.org/u/larowlan
[13] https://www.drupal.org/u/longwave
[14] https://www.drupal.org/u/mcdruid
[15] https://www.drupal.org/u/pandaski
[16] https://www.drupal.org/u/phenaproxima
[17] https://www.drupal.org/u/samuelmortenson
[18] https://www.drupal.org/u/xjm
More information about the Security-news
mailing list