drupal/core is vulnerable to Cross-site Scripting (XSS). The vulnerability exists due to lack of domain validations which allows an attacker to inject and execute arbitrary JavaScript which can result in cookie exfiltration.
CPE | Name | Operator | Version |
---|---|---|---|
drupal/core | le | 9.3.18 | |
drupal/core | le | 9.4.2 | |
drupal/core | le | 9.3.18 | |
drupal/core | le | 9.4.2 |
github.com/advisories/GHSA-4wfq-jc9h-vpcx
github.com/drupal/core/commit/0993e9f63e8c03f6c1e1c482b0985c89eaa485ee
github.com/drupal/core/commit/1cd1830d79f221cc8490f53c2bb487dd07094f17
github.com/drupal/core/commit/2d1a5f12c25a4a7211daf19afef81dd6a190c077
github.com/drupal/core/commit/2d5f47fc8a166115f56c2330a81e83abe22445cf
github.com/drupal/core/commit/5d464ea4407c50e40dcf6cb5ee376e7b8dd36f3a
github.com/drupal/core/commit/61ba6b8035a5d47faf5c1e087d01149c75da88c7
github.com/drupal/core/commit/e2fbf63700819cb470a1be425798f1a3f2020116
github.com/drupal/core/commit/ff9cc65283c5e096e44f6c0770a93b7697ff58ef
github.com/drupal/core/compare/9.3.18...9.3.19
github.com/drupal/core/compare/9.4.2...9.4.3
www.drupal.org/sa-core-2022-015