it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
[IT-SecNots] [Security-news] Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2020-007
Chronologisch Thread
- From: security-news AT drupal.org
- To: security-news AT drupal.org
- Subject: [IT-SecNots] [Security-news] Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2020-007
- Date: Wed, 16 Sep 2020 18:16:52 +0000 (UTC)
- List-archive: <http://lists.drupal.org/pipermail/security-news/>
- List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-core-2020-007
Project: Drupal core [1]
Date: 2020-September-16
Security risk: *Moderately critical* 14∕25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross-site scripting
CVE IDs: CVE-2020-13666
Description:
The Drupal AJAX API does not disable JSONP by default, which can lead to
cross-site scripting.
Solution:
Install the latest version:
* If you are using Drupal 7.x, upgrade to Drupal 7.73 [3].
* If you are using Drupal 8.8.x, upgrade to Drupal 8.8.10 [4].
* If you are using Drupal 8.9.x, upgrade to Drupal 8.9.6 [5].
* If you are using Drupal 9.0.x, upgrade to Drupal 9.0.6 [6].
Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive
security coverage. Sites on 8.7.x or earlier should update to 8.8.10.
If you were previously relying on Drupal's AJAX API to perform trusted JSONP
requests, you'll either need to override the AJAX options to set "jsonp:
true", or you'll need to use the jQuery AJAX API directly.
If you are using jQuery's AJAX API for user-provided URLs in a contrib or
custom module, you should review your code and set "jsonp: false" where this
is appropriate.
Reported By:
* Samuel Mortenson [7] of the Drupal Security Team
Fixed By:
* Samuel Mortenson [8] of the Drupal Security Team
* Théodore Biadala [9]
* Lee Rowlands [10] of the Drupal Security Team
* David Snopek [11] of the Drupal Security Team
* Nathaniel Catchpole [12] of the Drupal Security Team
* Alex Bronstein [13] of the Drupal Security Team
* Drew Webber [14] of the Drupal Security Team
[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/drupal/releases/7.73
[4] https://www.drupal.org/project/drupal/releases/8.8.10
[5] https://www.drupal.org/project/drupal/releases/8.9.6
[6] https://www.drupal.org/project/drupal/releases/9.0.6
[7] https://www.drupal.org/user/2582268
[8] https://www.drupal.org/user/2582268
[9] https://www.drupal.org/user/598310
[10] https://www.drupal.org/user/395439
[11] https://www.drupal.org/user/266527
[12] https://www.drupal.org/user/35733
[13] https://www.drupal.org/user/78040
[14] https://www.drupal.org/user/255969
_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news
- [IT-SecNots] [Security-news] Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2020-007, security-news, 16.09.2020
Archiv bereitgestellt durch MHonArc 2.6.19.