Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] Drupal core - Critical - Cross Site Scripting - SA-CORE-2024-005

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] Drupal core - Critical - Cross Site Scripting - SA-CORE-2024-005


Chronologisch Thread  
    < Chronologisch >       < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] Drupal core - Critical - Cross Site Scripting - SA-CORE-2024-005
  • Date: Wed, 20 Nov 2024 20:23:48 +0000 (UTC)
  • Authentication-results: lists.piratenpartei.de; dkim=pass header.d=drupal.org header.s=default header.b=NHgnzeLz; spf=pass (lists.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 140.211.166.138 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org; dmarc=pass (policy=none) header.from=drupal.org
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org E058585796
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 8B506407BC
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-core-2024-005

Project: Drupal core [1]
Date: 2024-November-20
Security risk: *Critical* 17 ∕ 25
AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Cross Site Scripting

Description: 
Drupal 7 core's Overlay module doesn't safely handle user input, leading to
reflected cross-site scripting under certain circumstances.

Only sites with the Overlay module enabled are affected by this
vulnerability.

Solution: 
Install the latest version:

* If you are using Drupal 7, update to Drupal 7.102 [3]
* Sites may also disable the Overlay module to avoid the issue.

Drupal 10 and Drupal 11 are not affected, as the Overlay module was removed
from Drupal core in Drupal 8.

Reported By: 
* Cesar [4]

Fixed By: 
* Cesar [5]
* Greg Knaddison [6] of the Drupal Security Team
* Matthew Grill [7]
* Wim Leers [8]
* Drew Webber [9] of the Drupal Security Team
* Ra Mänd [10]
* Fabian Franz [11]
* Juraj Nemec [12] of the Drupal Security Team

Coordinated By: 
* Juraj Nemec [13] of the Drupal Security Team
* Greg Knaddison [14] of the Drupal Security Team
* xjm [15] of the Drupal Security Team


[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/drupal/releases/7.102
[4] https://www.drupal.org/user/3546810
[5] https://www.drupal.org/user/3546810
[6] https://www.drupal.org/user/36762
[7] https://www.drupal.org/user/1602706
[8] https://www.drupal.org/user/99777
[9] https://www.drupal.org/user/255969
[10] https://www.drupal.org/user/601534
[11] https://www.drupal.org/user/693738
[12] https://www.drupal.org/user/272316
[13] https://www.drupal.org/user/272316
[14] https://www.drupal.org/user/36762
[15] https://www.drupal.org/u/xjm

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

  • [IT-SecNots] [Security-news] Drupal core - Critical - Cross Site Scripting - SA-CORE-2024-005, security-news, 20.11.2024

Archiv bereitgestellt durch MHonArc 2.6.19+.

Seitenanfang