Drupal core - Critical - Cross Site Scripting - SA-CORE-2024-005
Project: Drupal coreDate: 2024-November-20Security risk: Critical 17 ∕ 25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingDescription: Drupal 7 core's Overlay module doesn't safely handle user input, leading to reflected cross-site scripting under certain circumstances.
Only sites with the Overlay module enabled are affected by this vulnerability.Solution: Install the latest version:
- If you are using Drupal 7, update to Drupal 7.102
- Sites may also disable the Overlay module to avoid the issue.
Drupal 10 and Drupal 11 are not affected, as the Overlay module was removed from Drupal core in Drupal 8.Reported By:
Fixed By:
- Cesar
- Greg Knaddison of the Drupal Security Team
- Matthew Grill
- Wim Leers
- Drew Webber of the Drupal Security Team
- Ra Mänd
- Fabian Franz
- Juraj Nemec of the Drupal Security Team
Coordinated By:
- Juraj Nemec of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
- xjm of the Drupal Security Team