Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2022-001

Read Time:1 Minute, 21 Second

Project:

Drupal core

Date:

2022-January-19

Security risk:

Moderately critical 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:Default

Vulnerability:

Cross Site Scripting

Description:

jQuery UI is a third-party library used by Drupal. This library was previously thought to be end-of-life.

Late in 2021, jQuery UI announced that they would be continuing development, and released a jQuery UI 1.13.0 version. As part of this 1.13.0 update, they disclosed the following security issue that may affect Drupal 9 and 7:

CVE-2021-41184: XSS in the `of` option of the `.position()` util

It is possible that this vulnerability is exploitable with some Drupal modules. As a precaution, this Drupal security release applies the fix for the above cross-site description issue, without making any of the other changes to the jQuery version that is included in Drupal.

This advisory is not covered by Drupal Steward.

Solution:

Install the latest version:

If you are using Drupal 9.3, update to Drupal 9.3.3.
If you are using Drupal 9.2, update to Drupal 9.2.11.
If you are using Drupal 7, update to Drupal 7.86.

All versions of Drupal 8 and 9 prior to 9.2.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.

Reported By:

Lauri Eskola

Fixed By:

Lauri Eskola
Chris of the Drupal Security Team
Drew Webber of the Drupal Security Team
Alex Bronstein of the Drupal Security Team
Ben Mullins
xjm of the Drupal Security Team
Théodore Biadala

Cyber Security News

Cybercriminals Hesitant About Using Generative AI

For want of a cyber nail the kingdom fell

Americans Receive Two Billion Spam Calls Per Month

CISA Warns Congress on Chemical Industry Terror Attacks

Securing the software supply chain webinar

Ukraine Police Dismantle Major Ransomware Group

Cybersecurity Incident Hits Fidelity National Financial

Beneath the Surface: How Hackers Turn NetSupport Against Users

SysJoker Malware: Hamas-Related Threat Expands With Rust Variant

Drupal core – Moderately critical – Cross Site Scripting – SA-CORE-2022-001

firefox-flatpak-120.0-2

opendkim-2.11.0-0.36.el9

firefox-120.0-3.fc37

SEC Consult SA-20231123 :: Uninstall Key Caching in Fortra Digital Guardian Agent Uninstaller

SEC Consult SA-20231122 :: Multiple Vulnerabilities in m-privacy TightGate-Pro

Senec Inverters Home V1, V2, V3 Home & Hybrid Use of Hard-coded Credentials – CVE-2023-39169