Drupal core – Moderately critical – Cross-site scripting – SA-CORE-2020-007
by CIRT Team
DESCRIPTION
The Drupal AJAX API does not disable JSONP by default, which can lead to cross-site scripting.
SYSTEM AFFECTED
Following actions are recommended to be taken:
Install the latest version:
• If you are using Drupal 7.x, upgrade to Drupal 7.73.
• If you are using Drupal 8.8.x, upgrade to Drupal 8.8.10.
• If you are using Drupal 8.9.x, upgrade to Drupal 8.9.6.
• If you are using Drupal 9.0.x, upgrade to Drupal 9.0.6.
RECOMMENDATIONS
Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage. Sites on 8.7.x or earlier should update to 8.8.10.
If you were previously relying on Drupal’s AJAX API to perform trusted JSONP requests, you’ll either need to override the AJAX options to set “jsonp: true”, or you’ll need to use the jQuery AJAX API directly.
If you are using jQuery’s AJAX API for user-provided URLs in a contrib or custom module, you should review your code and set “jsonp: false” where this is appropriate.
REFERENCES
https://www.drupal.org/sa-core-2020-007
Recommended Posts
Cyber Threat Alert: Surge in Attacks via Compromised Third-Party Service Providers
08 Feb 2024 - Articles, English articles, Security Advisories & Alerts
Subscribe here
MEMBER OF:
