Open Social is a Drupal distribution for online communities.
The included social_magic_login module doesn't sufficiently validate magic login URLs for user accounts. The lack of validation makes it possible for an adversary to forge valid login URLs and login to such an account.
This vulnerability is mitigated by the fact the module social_magic_login needs to be enabled.
Drupal core uses the third-party CKEditor library. This library has an error in parsing HTML that could lead to an XSS attack. CKEditor 4.16.1 and later include the fix.
Update: 2021-06-11: More details are available on CKEditor's blog.
Chaos tool suite (ctools) module provides a number of APIs and extensions for Drupal, it's 8.x-3.x branch is a start from scratch to evaluate the features of ctools that didn't make it into Drupal Core 8.0.x and port them.
The module doesn't sufficiently handle access control on its EntityView plugin.
This vulnerability is mitigated by the fact that successful exploitation requires special conditions in place such as custom solutions that allow injecting the context by means other than the route.
Drupal core's sanitization API fails to properly filter cross-site scripting under certain circumstances.
Not all sites and users are affected, but configuration changes to prevent the exploit might be impractical and will vary between sites. Therefore, we recommend all sites update to this release as soon as possible.
The Fast Autocomplete module provides fast IMDB-like suggestions below a text input field. Suggestions are stored as JSON files in the public files folder so that they can be provided to the browser relatively fast without the need for Drupal to be bootstrapped.
The module doesn't correctly generate certain hashes when the configuration option "Perform search as anonymous user only" is switched from the default on value to off.
