Wim Leers

Name of the Vulnerable Software and Affected Versions: Drupal Core versions 7.0 through 7.101 Description: The issue affects Drupal Core, allowing Cross-Site Scripting (XSS) due to improper neutralization of input during web page generation. This enables an attacker to conduct a cross-site scripting attack. Recommendations: For versions 7.0 through 7.101, update to version 7.102 or later to resolve the issue. As a temporary workaround, consider restricting user input to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Drupal Core versions 10.0.0 through 10.2.9 Description: A vulnerability in Drupal Core allows file manipulation. This issue is related to weaknesses in handling error situations, which could allow a remote attacker to impact the integrity of protected information. Under certain uncommon site configurations, a bug in the CKEditor 5 module can cause some image uploads to move the entire webroot to a different location on the file system, potentially allowing a malicious user to take down a site. The issue is mitigated by the fact that several non-default site configurations must exist simultaneously for this to occur. Recommendations: For Drupal Core versions 10.0.0 through 10.2.9, update to version 10.2.10 or later to resolve the issue. As a temporary workaround, consider restricting access to the CKEditor 5 module to minimize the risk of exploitation. Avoid using the module for image uploads until the issue is resolved.