it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2025-004

From: security-news AT drupal.org
To: security-news AT drupal.org
Subject: [IT-SecNots] [Security-news] Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2025-004
Date: Wed, 19 Mar 2025 18:54:37 +0000 (UTC)
Authentication-results: lists.piratenpartei.de; dkim=pass header.d=drupal.org header.s=default header.b=UrGbrzVF; spf=pass (lists.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 140.211.166.136 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org; dmarc=pass (policy=none) header.from=drupal.org
Dkim-filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org EDF506F77B
Dkim-filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 1311E81351
List-archive: <http://lists.drupal.org/pipermail/security-news/>
List-id: <security-news.drupal.org>

View online: https://www.drupal.org/sa-core-2025-004

Project: Drupal core [1]
Date: 2025-March-19
Security risk: *Moderately critical* 13 ∕ 25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Cross Site Scripting

Affected versions: >= 8.0.0 < 10.3.14 || >= 10.4.0 < 10.4.5 || >= 11.0.0 <
11.0.13 || >= 11.1.0 < 11.1.5
Description:
Drupal core Link field attributes are not sufficiently sanitized, which can
lead to a Cross Site Scripting vulnerability (XSS).

This vulnerability is mitigated by that fact that an attacker would need to
have the ability to add specific attributes to a Link field, which typically
requires edit access via core web services, or a contrib or custom module.

Sites with the Link module disabled or that do not use any link fields are
not affected.

Solution:
Install the latest version:

* If you use Drupal 10.3.x, update to Drupal 10.3.14 [3]
* If you use Drupal 10.4.x, update to Drupal 10.4.5 [4]
* If you use Drupal 11.0.x, update to Drupal 11.0.13 [5]
* If you use Drupal 11.1.x, update to Drupal 11.1.5 [6]

All versions of Drupal prior to 10.3 are end-of-life and do not receive
security coverage from the Drupal Security Team.

Reported By:
* Samuel Mortenson (samuel.mortenson) [7]

Fixed By:
* Benji Fisher (benjifisher) [8] of the Drupal Security Team
* Bram Driesen (bramdriesen) [9] Provisional Member of the Drupal Security
Team
* Alex Bronstein (effulgentsia) [10]
* Jen Lampton (jenlampton) [11] Provisional Member of the Drupal Security
Team
* Lee Rowlands (larowlan) [12] of the Drupal Security Team
* Dave Long (longwave) [13] of the Drupal Security Team
* Drew Webber (mcdruid) [14] of the Drupal Security Team
* Joseph Zhao (pandaski) [15] Provisional Member of the Drupal Security Team
* Adam G-H (phenaproxima) [16]
* Samuel Mortenson (samuel.mortenson) [17]
* Jess (xjm) [18] of the Drupal Security Team

[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/drupal/releases/10.3.14
[4] https://www.drupal.org/project/drupal/releases/10.4.5
[5] https://www.drupal.org/project/drupal/releases/11.0.13
[6] https://www.drupal.org/project/drupal/releases/11.1.5
[7] https://www.drupal.org/u/samuelmortenson
[8] https://www.drupal.org/u/benjifisher
[9] https://www.drupal.org/u/bramdriesen
[10] https://www.drupal.org/u/effulgentsia
[11] https://www.drupal.org/u/jenlampton
[12] https://www.drupal.org/u/larowlan
[13] https://www.drupal.org/u/longwave
[14] https://www.drupal.org/u/mcdruid
[15] https://www.drupal.org/u/pandaski
[16] https://www.drupal.org/u/phenaproxima
[17] https://www.drupal.org/u/samuelmortenson
[18] https://www.drupal.org/u/xjm

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

[IT-SecNots] [Security-news] Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2025-004, security-news, 19.03.2025

Archiv bereitgestellt durch MHonArc 2.6.19+.