Read Time:50 Second
Project: 
Drupal core
Date: 
2024-November-20
Security risk: 
Critical 17 ∕ 25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:Default
Vulnerability: 
Cross Site Scripting
Description: 

Drupal 7 core’s Overlay module doesn’t safely handle user input, leading to reflected cross-site scripting under certain circumstances.

Only sites with the Overlay module enabled are affected by this vulnerability.

Solution: 

Install the latest version:

If you are using Drupal 7, update to Drupal 7.102
Sites may also disable the Overlay module to avoid the issue.

Drupal 10 and Drupal 11 are not affected, as the Overlay module was removed from Drupal core in Drupal 8.

Reported By: 
Cesar
Fixed By: 
Cesar
Greg Knaddison of the Drupal Security Team
Matthew Grill
Wim Leers
Drew Webber of the Drupal Security Team
Ra Mänd
Fabian Franz
Juraj Nemec of the Drupal Security Team
Coordinated By: 
Juraj Nemec of the Drupal Security Team
Greg Knaddison of the Drupal Security Team
xjm of the Drupal Security Team

Read More

More Stories

vyper-0.4.1-1.fc41

FEDORA-2025-c7fae57601 Packages in this update: vyper-0.4.1-1.fc41 Update description: Vyper ver. 0.4.1 Another one small fix Fix for a few known...

vyper-0.4.1-1.fc40

FEDORA-2025-77c63e7236 Packages in this update: vyper-0.4.1-1.fc40 Update description: Vyper ver. 0.4.1 Another one small fix Fix for a few known...