====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN229
_____________________________________________________________________

DATE                : 21/04/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Drupal versions prior to 9.1.7,
                                   9.0.12, 8.9.14, 7.80.

=====================================================================
https://www.drupal.org/sa-core-2021-002
_____________________________________________________________________


Drupal core - Critical - Cross-site scripting - SA-CORE-2021-002
Project: Drupal core
Date: 2021-April-21
Security risk:
Critical 15∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Default
Vulnerability: Cross-site scripting


Description:

Drupal core's sanitization API fails to properly filter cross-site
scripting under certain circumstances.

Not all sites and users are affected, but configuration changes to
prevent the exploit might be impractical and will vary between sites.
Therefore, we recommend all sites update to this release as soon as
possible.


Solution:

Install the latest version:

    If you are using Drupal 9.1, update to Drupal 9.1.7.
    If you are using Drupal 9.0, update to Drupal 9.0.12.
    If you are using Drupal 8.9, update to Drupal 8.9.14.
    If you are using Drupal 7, update to Drupal 7.80.

Versions of Drupal 8 prior to 8.9.x are end-of-life and do not receive
security coverage.


Reported By:

    Jasper Mattsson


Fixed By:

    Alex Pott of the Drupal Security Team
    Jasper Mattsson
    Michael Hess of the Drupal Security Team
    Wim Leers
    Heine of the Drupal Security Team
    Peter Wolanin of the Drupal Security Team
    Jess (xjm) of the Drupal Security Team
    Samuel Mortenson of the Drupal Security Team
    nwellnhof
    Alex Bronstein of the Drupal Security Team
    Lee Rowlands of the Drupal Security Team
    Adam G-H
    Drew Webber of the Drupal Security Team


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================