Grant Gaudet

**Name of the Vulnerable Software and Affected Versions** Drupal versions 8.4.x before 8.4.5 Drupal versions 7.x before 7.57 **Description** The issue arises from the `Drupal.checkPlain()` JavaScript function, which is intended to escape potentially dangerous text before it is outputted to HTML. However, this function does not correctly handle all methods of injecting malicious HTML, leading to a cross-site scripting issue under certain circumstances. The PHP functions provided by Drupal for HTML escaping are not affected by this issue. **Recommendations** For Drupal 8.4.x versions before 8.4.5, update to version 8.4.5 or later. For Drupal 7.x versions before 7.57, update to version 7.57 or later.