CVE-2017-6927

Name of the Vulnerable Software and Affected Versions Drupal versions 8.4.x before 8.4.5 Drupal versions 7.x before 7.57

Description The issue arises from the Drupal.checkPlain() JavaScript function, which is intended to escape potentially dangerous text before it is outputted to HTML. However, this function does not correctly handle all methods of injecting malicious HTML, leading to a cross-site scripting issue under certain circumstances. The PHP functions provided by Drupal for HTML escaping are not affected by this issue.

Recommendations For Drupal 8.4.x versions before 8.4.5, update to version 8.4.5 or later. For Drupal 7.x versions before 7.57, update to version 7.57 or later.