[SECURITY-L] [Security-news] Drupal core - Critical - Cross Site Scripting - SA-CORE-2024-005

CSIRT Unicamp security em unicamp.br
Quinta Novembro 21 09:29:14 -03 2024 

View online: https://www.drupal.org/sa-core-2024-005

Project: Drupal core [1]
Date: 2024-November-20
Security risk: *Critical* 17 ∕ 25
AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Cross Site Scripting

Description:
Drupal 7 core's Overlay module doesn't safely handle user input, leading to
reflected cross-site scripting under certain circumstances.

Only sites with the Overlay module enabled are affected by this
vulnerability.

Solution:
Install the latest version:

   * If you are using Drupal 7, update to Drupal 7.102 [3]
   * Sites may also disable the Overlay module to avoid the issue.

Drupal 10 and Drupal 11 are not affected, as the Overlay module was removed
from Drupal core in Drupal 8.

Reported By:
   * Cesar  [4]

Fixed By:
   * Cesar  [5]
   * Greg Knaddison [6] of the Drupal Security Team
   * Matthew Grill [7]
   * Wim Leers [8]
   * Drew Webber [9] of the Drupal Security Team
   * Ra Mänd [10]
   * Fabian Franz [11]
   * Juraj Nemec [12] of the Drupal Security Team

Coordinated By:
   * Juraj Nemec [13] of the Drupal Security Team
   * Greg Knaddison [14] of the Drupal Security Team
   * xjm [15] of the Drupal Security Team


[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/drupal/releases/7.102
[4] https://www.drupal.org/user/3546810
[5] https://www.drupal.org/user/3546810
[6] https://www.drupal.org/user/36762
[7] https://www.drupal.org/user/1602706
[8] https://www.drupal.org/user/99777
[9] https://www.drupal.org/user/255969
[10] https://www.drupal.org/user/601534
[11] https://www.drupal.org/user/693738
[12] https://www.drupal.org/user/272316
[13] https://www.drupal.org/user/272316
[14] https://www.drupal.org/user/36762
[15] https://www.drupal.org/u/xjm

_______________________________________________
Security-news mailing list
Security-news em drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news


===
Computer Security Incident Response Team - CSIRT
Universidade Estadual de Campinas - Unicamp
Centro de Computacao - CCUEC
GnuPG Public Key: http://www.security.unicamp.br/security.asc [^]
Contato: +55 19 3521-2289 ou INOC-DBA: 1251*830
-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: <http://www.listas.unicamp.br/pipermail/security-l/attachments/20241121/9f9e1c5d/attachment.html>

Mais detalhes sobre a lista de discussão SECURITY-L