Project: Drupal coreDate: 2025-February-19Security risk: Critical 17 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Proof/TD:AllVulnerability: Cross site scriptingAffected versions: >= 8.0.0 < 10.3.13 || >= 10.4.0 < 10.4.3 || >= 11.0.0 < 11.0.12 || >= 11.1.0 < 11.1.3Description:
Drupal core doesn't sufficiently filter error messages under certain circumstances, leading to a reflected Cross Site Scripting vulnerability (XSS).
Sites are encouraged to update. There are not yet public documented steps to exploit this, but there may be soon given the nature of this issue.
This issue is being protected by Drupal Steward. Sites that use Drupal Steward are already protected, but are still encouraged to upgrade in the near future.
Solution:Install the latest version:
- If you use Drupal 10.3.x, update to Drupal 10.3.13
- If you use Drupal 10.4.x, update to Drupal 10.4.3
- If you use Drupal 11.0.x, update to Drupal 11.0.12
- If you use Drupal 11.1.x, update to Drupal 11.1.3
All versions of Drupal 10 prior to 10.3 are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)
Reported By:- Arne (arkepp)
- bdanin
- Douglas Groene (dgroene)
- Dragos Dumitrescu (dragos-dumi)
- Flo Kosiol (flokosiol)
- Gerardo Cadau (juanramonperez)
- Justin Christoffersen (larsdesigns)
- nuwans
- Sven Decabooter (svendecabooter)
- Will Gunn (wgunn_e)
- catch (catch) of the Drupal Security Team
- Drew Webber (mcdruid) of the Drupal Security
Team
PubDate