Drupal Core – Cross Site Scripting
Under certain circumstances the File module/subsystem allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerability.
Drupel security ID – SA-CORE-2019-004
Solution:
- If you are using Drupal 8.6, update to Drupal 8.6.13.
- If you are using Drupal 8.5 or earlier, update to Drupal 8.5.14.
- If you are using Drupal 7, update to Drupal 7.65.
Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive security coverage.Reported By:
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.