Drupal has released a moderately critical security update for Drupal 7 and Drupal 8. This security update (version 7.70 & 8.8.6) fixes vulnerabilities found in the jQuery project that is included in these versions of Drupal.
jQuery is a JavaScript library designed to simplify HTML DOM tree traversal and manipulation, as well as event handling, CSS animation, and Ajax.
The jQuery project released version 3.5.0, and as part of that, disclosed two security vulnerabilities that affect all prior versions. As mentioned in the jQuery blog, both are security issues in jQuery’s DOM manipulation methods. Security advisories for both of these issues have been published widely.
These cross site scripting vulnerabilities may be exploitable on some Drupal sites. This Drupal security release backports the fixes to the relevant jQuery functions, without making any other changes to the jQuery version that is included in Drupal core or running on the site via some other module such as jQuery Update
Backwards-compatibility code has also been added to minimise regressions to Drupal sites that might rely on jQuery's prior behaviour. With jQuery 3.5, incorrect self-closing HTML tags in JavaScript for elements where end tags are normally required will encounter a change in what jQuery returns or inserts. To minimize that disruption in 8.8.x and earlier, this security release retains jQuery's prior behaviour for most safe tags. There may still be regressions for edge cases, including invalidly self-closed custom elements on Internet Explorer.
What is Cross site scripting?
Cross-site scripting (also known as XSS) is a web security vulnerability that allows an attacker to compromise the interactions that users have with a vulnerable application. It allows an attacker to circumvent the same origin policy, which is designed to segregate different websites from each other. Cross-site scripting vulnerabilities normally allow an attacker to masquerade as a victim user, to carry out any actions that the user is able to perform, and to access any of the user's data. If the victim user has privileged access within the application, then the attacker might be able to gain full control over all of the application's functionality and data.
Solution
The latest versions of Drupal includes jQuery 3.5.0 which will mitigate the vulnerabilities. All Drupal websites should be updated to the latest version of Drupal (versions 7.70 & 8.8.6).
Action
All Drupal websites that are hosted with Enrega will be updated by our support team. For more information about the update process, please see our security updates for your website page.
If you have a shared hosting account, you can see our progress by following our support team on Twitter. If you have a custom website that is not in shared hosting, we'll let you know by email when we're done.
References
- What is Drupal?
- Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2020-002
- Drupal update 8.8.6
- Drupal update 7.70
