Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2025-004
Project:
Date:
2025-March-19
Vulnerability:
Cross Site Scripting
Affected versions:
>= 8.0.0 < 10.3.14 || >= 10.4.0 < 10.4.5 || >= 11.0.0 < 11.0.13 || >= 11.1.0 < 11.1.5
Description:
Drupal core Link field attributes are not sufficiently sanitized, which can lead to a Cross Site Scripting vulnerability (XSS).
This vulnerability is mitigated by that fact that an attacker would need to have the ability to add specific attributes to a Link field, which typically requires edit access via core web services, or a contrib or custom module.
Sites with the Link module disabled or that do not use any link fields are not affected.
Solution:
Install the latest version:
- If you use Drupal 10.3.x, update to Drupal 10.3.14
- If you use Drupal 10.4.x, update to Drupal 10.4.5
- If you use Drupal 11.0.x, update to Drupal 11.0.13
- If you use Drupal 11.1.x, update to Drupal 11.1.5
All versions of Drupal prior to 10.3 are end-of-life and do not receive security coverage from the Drupal Security Team.
Reported By:
Fixed By:
- Benji Fisher (benjifisher) of the Drupal Security Team
- Bram Driesen (bramdriesen) Provisional Member of the Drupal Security Team
- Alex Bronstein (effulgentsia)
- Jen Lampton (jenlampton) Provisional Member of the Drupal Security Team
- Lee Rowlands (larowlan) of the Drupal Security Team
- Dave Long (longwave) of the Drupal Security Team
- Drew Webber (mcdruid) of the Drupal Security Team
- Joseph Zhao (pandaski) Provisional Member of the Drupal Security Team
- Adam G-H (phenaproxima)
- Samuel Mortenson (samuel.mortenson)
- Jess (xjm) of the Drupal Security Team