it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
[IT-SecNots] [Security-news] Drupal core - Critical - Cross site scripting - SA-CORE-2025-001
Chronologisch Thread
- From: security-news AT drupal.org
- To: security-news AT drupal.org
- Subject: [IT-SecNots] [Security-news] Drupal core - Critical - Cross site scripting - SA-CORE-2025-001
- Date: Wed, 19 Feb 2025 18:13:11 +0000 (UTC)
- Authentication-results: lists.piratenpartei.de; dkim=pass header.d=drupal.org header.s=default header.b="PVDeZ5V/"; spf=pass (lists.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 140.211.166.133 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org; dmarc=pass (policy=none) header.from=drupal.org
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org A196C4157E
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 9B77683F72
- List-archive: <http://lists.drupal.org/pipermail/security-news/>
- List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-core-2025-001
Project: Drupal core [1]
Date: 2025-February-19
Security risk: *Critical* 17 ∕ 25
AC:Basic/A:None/CI:Some/II:Some/E:Proof/TD:All [2]
Vulnerability: Cross site scripting
Affected versions: >= 8.0.0 < 10.3.13 || >= 10.4.0 < 10.4.3 || >= 11.0.0 <
11.0.12 || >= 11.1.0 < 11.1.3
Description:
Drupal core doesn't sufficiently filter error messages under certain
circumstances, leading to a reflected Cross Site Scripting vulnerability
(XSS).
Sites are encouraged to update. There are not yet public documented steps to
exploit this, but there may be soon given the nature of this issue.
This issue is being protected by Drupal Steward [3]. Sites that use Drupal
Steward are already protected, but are still encouraged to upgrade in the
near future.
Solution:
Install the latest version:
* If you use Drupal 10.3.x, update to Drupal 10.3.13 [4]
* If you use Drupal 10.4.x, update to Drupal 10.4.3 [5]
* If you use Drupal 11.0.x, update to Drupal 11.0.12 [6]
* If you use Drupal 11.1.x, update to Drupal 11.1.3 [7]
All versions of Drupal 10 prior to 10.3 are end-of-life and do not receive
security coverage. (Drupal 8 [8] and Drupal 9 [9] have both reached
end-of-life.)
Reported By:
* Arne (arkepp) [10]
* bdanin [11]
* Douglas Groene (dgroene) [12]
* Dragos Dumitrescu (dragos-dumi) [13]
* Flo Kosiol (flokosiol) [14]
* Gerardo Cadau (juanramonperez) [15]
* Justin Christoffersen (larsdesigns) [16]
* nuwans [17]
* Sven Decabooter (svendecabooter) [18]
* Will Gunn (wgunn_e) [19]
Fixed By:
* catch (catch) [20] of the Drupal Security Team
* Drew Webber (mcdruid) [21] of the Drupal Security
Team
[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/steward
[4] https://www.drupal.org/project/drupal/releases/10.3.13
[5] https://www.drupal.org/project/drupal/releases/10.4.3
[6] https://www.drupal.org/project/drupal/releases/11.0.12
[7] https://www.drupal.org/project/drupal/releases/11.1.3
[8] https://www.drupal.org/psa-2021-06-29
[9] https://www.drupal.org/psa-2023-11-01
[10] https://www.drupal.org/u/arkepp
[11] https://www.drupal.org/u/bdanin
[12] https://www.drupal.org/u/dgroene
[13] https://www.drupal.org/u/dragos-dumi
[14] https://www.drupal.org/u/flokosiol
[15] https://www.drupal.org/u/juanramonperez
[16] https://www.drupal.org/u/larsdesigns
[17] https://www.drupal.org/u/nuwans
[18] https://www.drupal.org/u/svendecabooter
[19] https://www.drupal.org/u/wgunn_e
[20] https://www.drupal.org/u/catch
[21] https://www.drupal.org/u/mcdruid
_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news
- [IT-SecNots] [Security-news] Drupal core - Critical - Cross site scripting - SA-CORE-2025-001, security-news, 19.02.2025
Archiv bereitgestellt durch MHonArc 2.6.19+.