===================================================================== CERT-Renater Note d'Information No. 2021/VULN485 _____________________________________________________________________ DATE : 16/09/2021 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Entity Embed for Drupal versions prior to 8.x-1.2. ===================================================================== https://www.drupal.org/sa-contrib-2021-028 _____________________________________________________________________ Entity Embed - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2021-028 Project: Entity Embed Date: 2021-September-15 Security risk: Moderately critical 11∕25 AC:Basic/A:User/CI:None/II:Some/E:Theoretical/TD:All Vulnerability: Cross Site Request Forgery CVE IDs: CVE-2020-13673 Description: This advisory addresses a similar issue to Drupal core - Moderately critical - Cross Site Request Forgery - SA-CORE-2021-006. The Entity Embed module provides a filter to allow embedding entities in content fields. In certain circumstances, the filter could allow an unprivileged user to inject HTML into a page when it is accessed by a trusted user with permission to embed entities. In some cases, this could lead to cross-site scripting. Solution: Install the latest version: If you use the Entity Embed module for Drupal 8 or 9, upgrade to Entity Embed 8.x-1.2. Drupal 7 versions of Entity Embed do not have a stable release and therefore do not receive security coverage. Reported By: Aaron Zinck Fixed By: Jess of the Drupal Security Team Adam G-H Drew Webber of the Drupal Security Team Coordinated By: xjm of the Drupal Security Team Drew Webber of the Drupal Security Team ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================