Drupal core - Critical - Cross Site Scripting - SA-CORE-2024-005

Project: Drupal coreDate: 2024-November-20Security risk: Critical 17 ∕ 25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingDescription: Drupal 7 core's Overlay module doesn't safely handle user input, leading to reflected cross-site scripting under certain circumstances.
Only sites with the Overlay module enabled are affected by this vulnerability.Solution: Install the latest version:

  • If you are using Drupal 7, update to Drupal 7.102
  • Sites may also disable the Overlay module to avoid the issue.

Drupal 10 and Drupal 11 are not affected, as the Overlay module was removed from Drupal core in Drupal 8.Reported By: 

Fixed By: 

Coordinated By: 

Path to article https://www.drupal.org/sa-core-2024-005