Drupal core - Critical - Cross-site scripting - SA-CORE-2021-002

Project: Drupal core
Date: 2021-April-21
Security risk: Critical 15∕25
Vulnerability: Cross-site scripting

Description

Drupal core's sanitization API fails to properly filter cross-site scripting under certain circumstances.

Not all sites and users are affected, but configuration changes to prevent the exploit might be impractical and will vary between sites. Therefore, we recommend all sites update to this release as soon as possible.

Solution

Install the latest version:

If you are using Drupal 9.1, update to Drupal 9.1.7.
If you are using Drupal 9.0, update to Drupal 9.0.12.
If you are using Drupal 8.9, update to Drupal 8.9.14.
If you are using Drupal 7, update to Drupal 7.80.

Versions of Drupal 8 prior to 8.9.x are end-of-life and do not receive security coverage.

Nick Onom
Marketing Project Manager

Enthusiastic about all kinds of Open Source applications, AI, bitcoins, but mostly Drupal and Backdrop. For last years has been actively developing AltaGrade's new back-end system.

Drupal · Security

Drupal core - Critical - Cross-site scripting - SA-CORE-2021-002

Description

Solution

We value your opinion. Please add your feedback.