it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
[IT-SecNots] [Security-news] Drupal core - Critical - Cross-site scripting - SA-CORE-2021-002
Chronologisch Thread
- From: security-news AT drupal.org
- To: security-news AT drupal.org
- Subject: [IT-SecNots] [Security-news] Drupal core - Critical - Cross-site scripting - SA-CORE-2021-002
- Date: Wed, 21 Apr 2021 16:34:54 +0000 (UTC)
- Authentication-results: mail02.piratenpartei.de; dkim=none; spf=pass (mail02.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 140.211.166.136 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org; dmarc=pass (policy=none) header.from=drupal.org
- List-archive: <http://lists.drupal.org/pipermail/security-news/>
- List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-core-2021-002
Project: Drupal core [1]
Date: 2021-April-21
Security risk: *Critical* 15∕25
AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Cross-site scripting
Description:
Drupal core's sanitization API fails to properly filter cross-site scripting
under certain circumstances.
Not all sites and users are affected, but configuration changes to prevent
the exploit might be impractical and will vary between sites. Therefore, we
recommend all sites update to this release as soon as possible.
Solution:
Install the latest version:
* If you are using Drupal 9.1, update to Drupal 9.1.7 [3].
* If you are using Drupal 9.0, update to Drupal 9.0.12 [4].
* If you are using Drupal 8.9, update to Drupal 8.9.14 [5].
* If you are using Drupal 7, update to Drupal 7.80 [6].
Versions of Drupal 8 prior to 8.9.x are end-of-life and do not receive
security coverage.
Reported By:
* Jasper Mattsson [7]
Fixed By:
* Alex Pott [8] of the Drupal Security Team
* Jasper Mattsson [9]
* Michael Hess [10] of the Drupal Security Team
* Wim Leers [11]
* Heine [12] of the Drupal Security Team
* Peter Wolanin [13] of the Drupal Security Team
* Jess (xjm) [14] of the Drupal Security Team
* Samuel Mortenson [15] of the Drupal Security Team
* nwellnhof [16]
* Alex Bronstein [17] of the Drupal Security Team
* Lee Rowlands [18] of the Drupal Security Team
* Adam G-H [19]
* Drew Webber [20] of the Drupal Security Team
[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/drupal/releases/9.1.7
[4] https://www.drupal.org/project/drupal/releases/9.0.12
[5] https://www.drupal.org/project/drupal/releases/8.9.14
[6] https://www.drupal.org/project/drupal/releases/7.80
[7] https://www.drupal.org/user/521118
[8] https://www.drupal.org/user/157725
[9] https://www.drupal.org/user/521118
[10] https://www.drupal.org/user/102818
[11] https://www.drupal.org/user/99777
[12] https://www.drupal.org/user/17943
[13] https://www.drupal.org/user/49851
[14] https://www.drupal.org/user/65776
[15] https://www.drupal.org/user/2582268
[16] https://www.drupal.org/user/3407764
[17] https://www.drupal.org/user/78040
[18] https://www.drupal.org/user/395439
[19] https://www.drupal.org/user/205645
[20] https://www.drupal.org/user/255969
_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news
- [IT-SecNots] [Security-news] Drupal core - Critical - Cross-site scripting - SA-CORE-2021-002, security-news, 21.04.2021
Archiv bereitgestellt durch MHonArc 2.6.24.