<div dir="ltr"><div><br></div><div class="gmail_quote">View online: <a href="https://www.drupal.org/sa-core-2024-005" rel="noreferrer" target="_blank">https://www.drupal.org/sa-core-2024-005</a><br>
<br>
Project: Drupal core [1]<br>
Date: 2024-November-20<br>
Security risk: *Critical* 17 ∕ 25<br>
AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:Default [2]<br>
Vulnerability: Cross Site Scripting<br>
<br>
Description: <br>
Drupal 7 core's Overlay module doesn't safely handle user input, leading to<br>
reflected cross-site scripting under certain circumstances.<br>
<br>
Only sites with the Overlay module enabled are affected by this<br>
vulnerability.<br>
<br>
Solution: <br>
Install the latest version:<br>
<br>
   * If you are using Drupal 7, update to Drupal 7.102 [3]<br>
   * Sites may also disable the Overlay module to avoid the issue.<br>
<br>
Drupal 10 and Drupal 11 are not affected, as the Overlay module was removed<br>
from Drupal core in Drupal 8.<br>
<br>
Reported By: <br>
   * Cesar  [4]<br>
<br>
Fixed By: <br>
   * Cesar  [5]<br>
   * Greg Knaddison [6] of the Drupal Security Team<br>
   * Matthew Grill [7]<br>
   * Wim Leers [8]<br>
   * Drew Webber [9] of the Drupal Security Team<br>
   * Ra Mänd [10]<br>
   * Fabian Franz [11]<br>
   * Juraj Nemec [12] of the Drupal Security Team<br>
<br>
Coordinated By: <br>
   * Juraj Nemec [13] of the Drupal Security Team<br>
   * Greg Knaddison [14] of the Drupal Security Team<br>
   * xjm [15] of the Drupal Security Team<br>
<br>
<br>
[1] <a href="https://www.drupal.org/project/drupal" rel="noreferrer" target="_blank">https://www.drupal.org/project/drupal</a><br>
[2] <a href="https://www.drupal.org/security-team/risk-levels" rel="noreferrer" target="_blank">https://www.drupal.org/security-team/risk-levels</a><br>
[3] <a href="https://www.drupal.org/project/drupal/releases/7.102" rel="noreferrer" target="_blank">https://www.drupal.org/project/drupal/releases/7.102</a><br>
[4] <a href="https://www.drupal.org/user/3546810" rel="noreferrer" target="_blank">https://www.drupal.org/user/3546810</a><br>
[5] <a href="https://www.drupal.org/user/3546810" rel="noreferrer" target="_blank">https://www.drupal.org/user/3546810</a><br>
[6] <a href="https://www.drupal.org/user/36762" rel="noreferrer" target="_blank">https://www.drupal.org/user/36762</a><br>
[7] <a href="https://www.drupal.org/user/1602706" rel="noreferrer" target="_blank">https://www.drupal.org/user/1602706</a><br>
[8] <a href="https://www.drupal.org/user/99777" rel="noreferrer" target="_blank">https://www.drupal.org/user/99777</a><br>
[9] <a href="https://www.drupal.org/user/255969" rel="noreferrer" target="_blank">https://www.drupal.org/user/255969</a><br>
[10] <a href="https://www.drupal.org/user/601534" rel="noreferrer" target="_blank">https://www.drupal.org/user/601534</a><br>
[11] <a href="https://www.drupal.org/user/693738" rel="noreferrer" target="_blank">https://www.drupal.org/user/693738</a><br>
[12] <a href="https://www.drupal.org/user/272316" rel="noreferrer" target="_blank">https://www.drupal.org/user/272316</a><br>
[13] <a href="https://www.drupal.org/user/272316" rel="noreferrer" target="_blank">https://www.drupal.org/user/272316</a><br>
[14] <a href="https://www.drupal.org/user/36762" rel="noreferrer" target="_blank">https://www.drupal.org/user/36762</a><br>
[15] <a href="https://www.drupal.org/u/xjm" rel="noreferrer" target="_blank">https://www.drupal.org/u/xjm</a><br>
<br>
_______________________________________________<br>
Security-news mailing list<br>
<a href="mailto:Security-news@drupal.org" target="_blank">Security-news@drupal.org</a><br>
Unsubscribe at <a href="https://lists.drupal.org/mailman/listinfo/security-news" rel="noreferrer" target="_blank">https://lists.drupal.org/mailman/listinfo/security-news</a><br>
</div><div class="gmail_quote"><br></div><div class="gmail_quote"><div><br class="gmail-Apple-interchange-newline">===</div><div>Computer Security Incident Response Team - CSIRT</div><div>Universidade Estadual de Campinas - Unicamp</div><div>Centro de Computacao - CCUEC</div><div>GnuPG Public Key: <a href="http://www.security.unicamp.br/security.asc" target="_blank">http://www.security.unicamp.br/security.asc</a> [^]</div><div>Contato: +55 19 3521-2289 ou INOC-DBA: 1251*830</div><br class="gmail-Apple-interchange-newline"></div></div>