Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Project:
Date:
2022-January-19
Vulnerability:
Cross Site Scripting
Affected versions:
>=7.0 <7.86 || >= 8.0.0 <9.2.11 || >= 9.3.0 <9.3.3
Description:
jQuery UI is a third-party library used by Drupal. This library was previously thought to be end-of-life.
Late in 2021, jQuery UI announced that they would be continuing development, and released a jQuery UI 1.13.0 version. As part of this 1.13.0 update, they disclosed the following security issue that may affect Drupal 9 and 7:
- CVE-2021-41184: XSS in the `of` option of the `.position()` util
It is possible that this vulnerability is exploitable with some Drupal modules. As a precaution, this Drupal security release applies the fix for the above cross-site description issue, without making any of the other changes to the jQuery version that is included in Drupal.
This advisory is not covered by Drupal Steward.
Solution:
Install the latest version:
- If you are using Drupal 9.3, update to Drupal 9.3.3.
- If you are using Drupal 9.2, update to Drupal 9.2.11.
- If you are using Drupal 7, update to Drupal 7.86.
All versions of Drupal 8 and 9 prior to 9.2.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.
Reported By:
Fixed By:
- Lauri Eskola
- Chris of the Drupal Security Team
- Drew Webber of the Drupal Security Team
- Alex Bronstein of the Drupal Security Team
- Ben Mullins
- xjm of the Drupal Security Team
- Théodore Biadala
