it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
[IT-SecNots] [Security-news] Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2022-001
Chronologisch Thread
- From: security-news AT drupal.org
- To: security-news AT drupal.org
- Subject: [IT-SecNots] [Security-news] Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2022-001
- Date: Wed, 19 Jan 2022 17:47:27 +0000 (UTC)
- List-archive: <http://lists.drupal.org/pipermail/security-news/>
- List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-core-2022-001
Project: Drupal core [1]
Date: 2022-January-19
Security risk: *Moderately critical* 14∕25
AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:Default [2]
Vulnerability: Cross Site Scripting
Description:
jQuery UI is a third-party library used by Drupal. This library was
previously thought to be end-of-life.
Late in 2021, jQuery UI announced that they would be continuing development,
and released a jQuery UI 1.13.0 [3] version. As part of this 1.13.0 update,
they disclosed the following security issue that may affect Drupal 9 and 7:
* CVE-2021-41183: XSS in the of option of the .position() util [4]
It is possible that this vulnerability is exploitable with some Drupal
modules. As a precaution, this Drupal security release applies the fix for
the above cross-site description issue, without making any of the other
changes to the jQuery version that is included in Drupal.
This advisory is not covered by Drupal Steward [5].
Solution:
Install the latest version:
* If you are using Drupal 9.3, update to Drupal 9.3.3 [6].
* If you are using Drupal 9.2, update to Drupal 9.2.11 [7].
* If you are using Drupal 7, update to Drupal 7.86 [8].
All versions of Drupal 8 and 9 prior to 9.2.x are end-of-life and do not
receive security coverage. Note that Drupal 8 has reached its end of life
[9].
Reported By:
* Lauri Eskola [10]
Fixed By:
* Lauri Eskola [11]
* Chris [12] of the Drupal Security Team
* Drew Webber [13] of the Drupal Security Team
* Alex Bronstein [14] of the Drupal Security Team
* Ben Mullins [15]
* xjm [16] of the Drupal Security Team
* Théodore Biadala [17]
[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released/
[4]
https://github.com/jquery/jquery-ui/security/advisories/GHSA-j7qv-pgf6-hvh4
[5] https://www.drupal.org/steward
[6] https://www.drupal.org/project/drupal/releases/9.3.3
[7] https://www.drupal.org/project/drupal/releases/9.2.11
[8] https://www.drupal.org/project/drupal/releases/7.86
[9] https://www.drupal.org/psa-2021-06-29
[10] https://www.drupal.org/user/1078742
[11] https://www.drupal.org/user/1078742
[12] https://www.drupal.org/user/1850070
[13] https://www.drupal.org/user/255969
[14] https://www.drupal.org/user/78040
[15] https://www.drupal.org/user/2369194
[16] https://www.drupal.org/user/65776
[17] https://www.drupal.org/user/598310
_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news
- [IT-SecNots] [Security-news] Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2022-001, security-news, 19.01.2022
Archiv bereitgestellt durch MHonArc 2.6.24.