[SECURITY-L] Fwd: [Security-news] Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2022-001
CSIRT Unicamp
security em unicamp.br
Quinta Janeiro 20 09:58:04 -03 2022
---------- Forwarded message ---------
De: <security-news em drupal.org>
Date: qua., 19 de jan. de 2022 às 14:50
Subject: [Security-news] Drupal core - Moderately critical - Cross Site
Scripting - SA-CORE-2022-001
To: <security-news em drupal.org>
View online: https://www.drupal.org/sa-core-2022-001
Project: Drupal core [1]
Date: 2022-January-19
Security risk: *Moderately critical* 14∕25
AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:Default [2]
Vulnerability: Cross Site Scripting
Description:
jQuery UI is a third-party library used by Drupal. This library was
previously thought to be end-of-life.
Late in 2021, jQuery UI announced that they would be continuing development,
and released a jQuery UI 1.13.0 [3] version. As part of this 1.13.0 update,
they disclosed the following security issue that may affect Drupal 9 and 7:
* CVE-2021-41183: XSS in the of option of the .position() util [4]
It is possible that this vulnerability is exploitable with some Drupal
modules. As a precaution, this Drupal security release applies the fix for
the above cross-site description issue, without making any of the other
changes to the jQuery version that is included in Drupal.
This advisory is not covered by Drupal Steward [5].
Solution:
Install the latest version:
* If you are using Drupal 9.3, update to Drupal 9.3.3 [6].
* If you are using Drupal 9.2, update to Drupal 9.2.11 [7].
* If you are using Drupal 7, update to Drupal 7.86 [8].
All versions of Drupal 8 and 9 prior to 9.2.x are end-of-life and do not
receive security coverage. Note that Drupal 8 has reached its end of life
[9].
Reported By:
* Lauri Eskola [10]
Fixed By:
* Lauri Eskola [11]
* Chris [12] of the Drupal Security Team
* Drew Webber [13] of the Drupal Security Team
* Alex Bronstein [14] of the Drupal Security Team
* Ben Mullins [15]
* xjm [16] of the Drupal Security Team
* Théodore Biadala [17]
[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released/
[4]
https://github.com/jquery/jquery-ui/security/advisories/GHSA-j7qv-pgf6-hvh4
[5] https://www.drupal.org/steward
[6] https://www.drupal.org/project/drupal/releases/9.3.3
[7] https://www.drupal.org/project/drupal/releases/9.2.11
[8] https://www.drupal.org/project/drupal/releases/7.86
[9] https://www.drupal.org/psa-2021-06-29
[10] https://www.drupal.org/user/1078742
[11] https://www.drupal.org/user/1078742
[12] https://www.drupal.org/user/1850070
[13] https://www.drupal.org/user/255969
[14] https://www.drupal.org/user/78040
[15] https://www.drupal.org/user/2369194
[16] https://www.drupal.org/user/65776
[17] https://www.drupal.org/user/598310
_______________________________________________
Security-news mailing list
Security-news em drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news
-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: <http://www.listas.unicamp.br/pipermail/security-l/attachments/20220120/2bc92b58/attachment.html>
Mais detalhes sobre a lista de discussão SECURITY-L