[SECURITY-L] [Security-news] Drupal core - Critical - Cross-site scripting - SA-CORE-2021-002

CSIRT Unicamp security em unicamp.br
Quinta Abril 22 13:34:13 -03 2021 

Project: Drupal core [1]
Date: 2021-April-21
Security risk: *Critical* 15∕25
AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Cross-site scripting

Description:
Drupal core's sanitization API fails to properly filter cross-site scripting
under certain circumstances.

Not all sites and users are affected, but configuration changes to prevent
the exploit might be impractical and will vary between sites. Therefore, we
recommend all sites update to this release as soon as possible.

Solution:
Install the latest version:

   * If you are using Drupal 9.1, update to Drupal 9.1.7 [3].
   * If you are using Drupal 9.0, update to Drupal 9.0.12 [4].
   * If you are using Drupal 8.9, update to Drupal 8.9.14 [5].
   * If you are using Drupal 7, update to Drupal 7.80 [6].

Versions of Drupal 8 prior to 8.9.x are end-of-life and do not receive
security coverage.

Reported By:
   * Jasper Mattsson [7]

Fixed By:
   * Alex Pott [8] of the Drupal Security Team
   * Jasper Mattsson [9]
   * Michael Hess [10] of the Drupal Security Team
   * Wim Leers [11]
   * Heine [12] of the Drupal Security Team
   * Peter Wolanin [13] of the Drupal Security Team
   * Jess (xjm) [14] of the Drupal Security Team
   * Samuel Mortenson [15] of the Drupal Security Team
   * nwellnhof [16]
   * Alex Bronstein [17] of the Drupal Security Team
   * Lee Rowlands [18] of the Drupal Security Team
   * Adam G-H [19]
   * Drew Webber [20] of the Drupal Security Team


[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/drupal/releases/9.1.7
[4] https://www.drupal.org/project/drupal/releases/9.0.12
[5] https://www.drupal.org/project/drupal/releases/8.9.14
[6] https://www.drupal.org/project/drupal/releases/7.80
[7] https://www.drupal.org/user/521118
[8] https://www.drupal.org/user/157725
[9] https://www.drupal.org/user/521118
[10] https://www.drupal.org/user/102818
[11] https://www.drupal.org/user/99777
[12] https://www.drupal.org/user/17943
[13] https://www.drupal.org/user/49851
[14] https://www.drupal.org/user/65776
[15] https://www.drupal.org/user/2582268
[16] https://www.drupal.org/user/3407764
[17] https://www.drupal.org/user/78040
[18] https://www.drupal.org/user/395439
[19] https://www.drupal.org/user/205645
[20] https://www.drupal.org/user/255969
===
Computer Security Incident Response Team - CSIRT
Universidade Estadual de Campinas - Unicamp
Centro de Computacao - CCUEC
GnuPG Public Key: http://www.security.unicamp.br/security.asc [^]
Contato: +55 19 3521-2289 ou INOC-DBA: 1251*830
-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: <http://www.listas.unicamp.br/pipermail/security-l/attachments/20210422/9313f50b/attachment.html>

Mais detalhes sobre a lista de discussão SECURITY-L