====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN293
_____________________________________________________________________

DATE                : 22/05/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Drupal core versions prior
                             to 7.70, 8.8.6, 8.7.14, .

=====================================================================
https://www.drupal.org/sa-core-2020-002
https://www.drupal.org/sa-core-2020-003
_____________________________________________________________________

Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2020-002

Project: Drupal core
Date:    2020-May-20
Security risk:
Moderately critical 10∕25
AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:Uncommon
Vulnerability: Cross Site Scripting


Description:

The jQuery project released version 3.5.0, and as part of that,
disclosed two security vulnerabilities that affect all prior versions.
As mentioned in the jQuery blog, both are

    [...] security issues in jQuery’s DOM manipulation methods, as in
.html(), .append(), and the others. Security advisories for both of
these issues have been published on GitHub.

Those advisories are:

    CVE-2020-11022
    CVE-2020-11023

These vulnerabilities may be exploitable on some Drupal sites. This
Drupal security release backports the fixes to the relevant jQuery
functions, without making any other changes to the jQuery version that
is included in Drupal core or running on the site via some other module
such as jQuery Update. It is not necessary to update jquery_update on
Drupal 7 sites that have the module installed.

Backwards-compatibility code has also been added to minimize regressions
to Drupal sites that might rely on jQuery's prior behavior. With jQuery
3.5, incorrect self-closing HTML tags in JavaScript for elements where
end tags are normally required will encounter a change in what jQuery
returns or inserts. To minimize that disruption in 8.8.x and earlier,
this security release retains jQuery's prior behavior for most safe
tags. There may still be regressions for edge cases, including invalidly
self-closed custom elements on Internet Explorer.

(Note: the backwards compatibility layer will not be included in the
upcoming Drupal 8.9 and 9.0 releases, so Drupal 8 and 9 modules, themes,
and sites should correct tags in JavaScript to properly use closing tags.)

If you find a regression caused by the jQuery changes, please report it
in Drupal core's issue queue (or that of the relevant contrib project).
However, if you believe you have found a security issue, please report
it privately to the Drupal Security Team.


Solution:

Install the latest version:

    If you are using Drupal 8.8, upgrade to Drupal 8.8.6.
    If you are using Drupal 8.7, upgrade to Drupal 8.7.14.
    If you are using Drupal 7, upgrade to Drupal 7.70.

Versions of Drupal 8 prior to 8.7 are end-of-life and do not receive
security coverage. Sites on 8.6 or earlier should update to 8.7.14.

The pre-release Drupal versions (8.9 and 9.0) have been updated jQuery
to version 3.5.1 as of 8.9.0-beta3 and 9.0.0-beta3.


Reported By:

    Drew Webber of the Drupal Security Team
    Emerson Jair Reis Oliveira da Silva


Fixed By:

    Drew Webber of the Drupal Security Team
    Sally Young
    cilefen of the Drupal Security Team
    Jess of the Drupal Security Team
    Emerson Jair Reis Oliveira da Silva
    Lee Rowlands of the Drupal Security Team
    Alex Bronstein of the Drupal Security Team
    Ben Mullins
    Lauri Eskola
    Peter Weber
    Samuel Mortenson of the Drupal Security Team

_____________________________________________________________________

Drupal core - Moderately critical - Open Redirect - SA-CORE-2020-003

Project: Drupal core
Date:    2020-May-20
Security risk:
Moderately critical 10∕25
AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:All
Vulnerability: Open Redirect


Description:

Drupal 7 has an Open Redirect vulnerability. For example, a user could
be tricked into visiting a specially crafted link which would redirect
them to an arbitrary external URL.

The vulnerability is caused by insufficient validation of the
destination query parameter in the drupal_goto() function.

Other versions of Drupal core are not vulnerable.


Solution:

Install the latest version:

    If you use Drupal 7.x upgrade to Drupal 7.70


Reported By:

    vortfu

Fixed By:

    Drew Webber of the Drupal Security Team
    Fabian Franz
    David Snopek of the Drupal Security Team
    vortfu



=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================