Under certain circumstances the File module/subsystem allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerability.
Drupel security ID – SA-CORE-2019-004
- If you are using Drupal 8.6, update to Drupal 8.6.13.
- If you are using Drupal 8.5 or earlier, update to Drupal 8.5.14.
- If you are using Drupal 7, update to Drupal 7.65.
Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive security coverage.Reported By: