![]() Please check the jQuery Update project page for more details, and for announcements when the changes are made to supported releases. As you may recall, back in June, Checkmarx disclosed multiple cross-site scripting (XSS) vulnerabilities impacting Drupal Core, listed as CVE-2020-13663, followed by a more technical breakdown of the findings in late November. As you may recall, back in June, Checkmarx disclosed multiple cross-site scripting (XSS) vulnerabilities impacting Drupal Core, listed as CVE-2020-13663, followed by a more technical breakdown of the findings in late November. The stable release from that branch will then be the only release considered by Drupal Security Team when new jQuery security issues arise. However, in early 2022 the currently supported release of jQuery Update (7.x-2.7 from 2015) will be deprecated and replaced by a new release from the 7.x-4.x branch. Therefore, there is no accompanying security release for jQuery Update. These backport fixes in D7 have also been tested with the version of jQuery UI provided by the most recent releases of the jQuery Update module (jQuery UI 1.10.2) and the fixes confirmed. Important note regarding the jQuery Update contrib module This advisory is not covered by Drupal Steward. For Drupal 7, it is fixed in the current release (Drupal 7.57) for jQuery 1.4.4 (the version that ships with Drupal 7 core) as well as for other newer versions of jQuery that might be used on the site, for example using the jQuery Update. As a precaution, this Drupal security release applies the fix for the above cross-site scripting issues, without making other changes to the jQuery UI version that is included in Drupal. For Drupal 8, this vulnerability was already fixed in Drupal 8.4.0 in the Drupal core upgrade to jQuery 3. An attacker could leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability. It is possible that these vulnerabilities are exploitable via contributed Drupal modules or custom code. Drupal 8 and 9 have a reflected cross-site scripting (XSS) vulnerability under certain circumstances. CVE-2010-5312: XSS in the title option of Dialog (applicable only to the jQuery UI version included in D7 core).CVE-2016-7103: XSS in closeText option of Dialog Multiple cross-site scripting (XSS) vulnerabilities in Drupal 6.x before 6.18 allow remote authenticated users with certain privileges to inject arbitrary web script or HTML via (1) an action description, (2) an action message, (3) a node, or (4) a taxonomy term, related to the actions feature and the trigger module.CVE-2021-41183: XSS in *Text options of the Datepicker widgetįurthermore, other vulnerabilities listed below were previously unaddressed in the version of jQuery UI included in Drupal 7 or in the jQuery Update module:.CVE-2021-41182: XSS in the altField option of the Datepicker widget.In addition to the issue covered by SA-CORE-2022-001, further security vulnerabilities disclosed in jQuery UI 1.13.0 may affect Drupal 7 only: Late in 2021, jQuery UI announced that they would be continuing development, and released a jQuery UI 1.13.0 version. CVE-2015-4388, Cross-site scripting (XSS) vulnerability in the Current Search Links module 7.x-1.x before 7.x-1.1 for Drupal, when the Append the keywords. This library was previously thought to be end-of-life. ![]() JQuery UI is a third-party library used by Drupal. ![]()
0 Comments
Leave a Reply. |