View online: https://www.drupal.org/sa-core-2020-003
Project: Drupal core [1]
Date: 2020-May-20
Security risk: *Moderately critical* 10∕25
AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:All [2]
Vulnerability: Open Redirect
Description:
Drupal 7 has an Open Redirect vulnerability. For example, a user could be
tricked into visiting a specially crafted link which would redirect them to
an arbitrary external URL.
The vulnerability is caused by insufficient validation of the destination
query parameter in the drupal_goto() function.
Other versions of Drupal core are not vulnerable.
Solution:
Install the latest version:
* If you use Drupal 7.x upgrade to Drupal 7.70 [3]
Reported By:
* vortfu [4]
Fixed By:
* Drew Webber [5] of the Drupal Security Team
* Fabian Franz [6]
* David Snopek [7] of the Drupal Security Team
* vortfu [8]
[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/drupal/releases/7.70
[4] https://www.drupal.org/user/3638636
[5] https://www.drupal.org/user/255969
[6] https://www.drupal.org/user/693738
[7] https://www.drupal.org/user/266527
[8] https://www.drupal.org/user/3638636
_______________________________________________
Security-news mailing list
Security-news@drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news
View online: https://www.drupal.org/sa-core-2020-002
Project: Drupal core [1]
Date: 2020-May-20
Security risk: *Moderately critical* 10∕25
AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2]
Vulnerability: Cross Site Scripting
Description:
The jQuery project released version 3.5.0, and as part of that, disclosed two
security vulnerabilities that affect all prior versions. As mentioned in the
jQuery blog [3], both are
>[…] security issues in jQuery’s DOM manipulation methods, as in
.html(),
>.append(), and the others. Security advisories for both of these issues
have
>been published on GitHub.
>
Those advisories are:
* CVE-2020-11022 [4]
* CVE-2020-11023 [5]
These vulnerabilities may be exploitable on some Drupal sites. This Drupal
security release backports the fixes to the relevant jQuery functions,
without making any other changes to the jQuery version that is included in
Drupal core or running on the site via some other module such as jQuery
Update [6]. It is not necessary to update jquery_update on Drupal 7 sites
that have the module installed.
Backwards-compatibility code has also been added to minimize regressions to
Drupal sites that might rely on jQuery’s prior behavior. With jQuery 3.5,
incorrect self-closing HTML tags in JavaScript for elements where end tags
are normally required will encounter a change in what jQuery returns or
inserts [7]. To minimize that disruption in 8.8.x and earlier, this security
release retains jQuery’s prior behavior for most safe tags. There may still
be regressions for edge cases, including invalidly self-closed custom
elements [8] on Internet Explorer.
(Note: the backwards compatibility layer will not be included in the upcoming
Drupal 8.9 and 9.0 releases, so Drupal 8 and 9 modules, themes, and sites
should correct tags in JavaScript to properly use closing tags.)
If you find a regression [9] caused by the jQuery changes, please report it
in Drupal core’s issue queue [10] (or that of the relevant contrib project).
However, if you believe you have found a security issue, please report it
privately to the Drupal Security Team [11].
Solution:
Install the latest version:
* If you are using Drupal 8.8, upgrade to Drupal 8.8.6 [12].
* If you are using Drupal 8.7, upgrade to Drupal 8.7.14 [13].
* If you are using Drupal 7, upgrade to Drupal 7.70 [14].
Versions of Drupal 8 prior to 8.7 are end-of-life and do not receive security
coverage. Sites on 8.6 or earlier should update to 8.7.14.
The pre-release Drupal versions (8.9 and 9.0) have been updated jQuery to
version 3.5.1 as of 8.9.0-beta3 and 9.0.0-beta3.
Reported By:
* Drew Webber [15] of the Drupal Security Team
* Emerson Jair Reis Oliveira da Silva [16]
Fixed By:
* Drew Webber [17] of the Drupal Security Team
* Sally Young [18]
* cilefen [19] of the Drupal Security Team
* Jess [20] of the Drupal Security Team
* Emerson Jair Reis Oliveira da Silva [21]
* Lee Rowlands [22] of the Drupal Security Team
* Alex Bronstein [23] of the Drupal Security Team
* Ben Mullins [24]
* Lauri Eskola [25]
* Peter Weber [26]
* Samuel Mortenson [27] of the Drupal Security Team
[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3]
https://blog.jquery.com/2020/05/04/jquery-3-5-1-released-fixing-a-regression/
[4] https://github.com/jquery/jquery/security/advisories/GHSA-gxr4-xjj5-5px2
[5] https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6
[6] https://www.drupal.org/project/jquery_update
[7] https://jquery.com/upgrade-guide/3.5/#description-of-the-change
[8] https://html.spec.whatwg.org/multipage/custom-elements.html
[9] https://en.wikipedia.org/wiki/Software_regression
[10] https://www.drupal.org/project/issues/drupal
[11] https://www.drupal.org/security-team/report-issue
[12] https://www.drupal.org/project/drupal/releases/8.8.6
[13] https://www.drupal.org/project/drupal/releases/8.7.14
[14] https://www.drupal.org/project/drupal/releases/7.70
[15] https://www.drupal.org/user/255969
[16] https://www.drupal.org/user/3580914
[17] https://www.drupal.org/user/255969
[18] https://www.drupal.org/user/161058
[19] https://www.drupal.org/user/1850070
[20] https://www.drupal.org/user/65776
[21] https://www.drupal.org/user/3580914
[22] https://www.drupal.org/user/395439
[23] https://www.drupal.org/user/78040
[24] https://www.drupal.org/user/2369194
[25] https://www.drupal.org/user/1078742
[26] https://www.drupal.org/user/1448368
[27] https://www.drupal.org/user/2582268
_______________________________________________
Security-news mailing list
Security-news@drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news