Project: Drupal core
Date: 2019-March-20
Security risk: Moderately critical 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default
Vulnerability: Cross Site Scripting
Description:
Under certain circumstances the File module/subsystem allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerability.
Solution:
If you are using Drupal 8.6, update to Drupal 8.6.13.
If you are using Drupal 8.5 or earlier, update to Drupal 8.5.14.
If you are using Drupal 7, update to Drupal 7.65.
Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive security coverage.
Release notes
Maintenance and security release of the Drupal 7 series.
This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcement:
Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2019-004
No other fixes are included.
No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so upgrading custom versions of those files is not necessary.
No database updates are required for this release.
https://www.drupal.org/sa-core-2019-004
Project: Drupal core Date: 2019-March-20 Security risk: Moderately critical 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default Vulnerability: Cross Site Scripting Description: Under certain circumstances the File module/subsystem allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerability.
Solution: If you are using Drupal 8.6, update to Drupal 8.6.13. If you are using Drupal 8.5 or earlier, update to Drupal 8.5.14. If you are using Drupal 7, update to Drupal 7.65. Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive security coverage.
https://www.drupal.org/project/drupal/releases/7.65
Release notes Maintenance and security release of the Drupal 7 series.
This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcement:
Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2019-004 No other fixes are included.
No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so upgrading custom versions of those files is not necessary.
No database updates are required for this release.