CVE-2017-6927: XSS
First published: Tue Feb 20 2018(Updated: )
Drupal 8.4.x versions before 8.4.5 and Drupal 7.x versions before 7.57 has a Drupal.checkPlain() JavaScript function which is used to escape potentially dangerous text before outputting it to HTML (as JavaScript output does not typically go through Twig autoescaping). This function does not correctly handle all methods of injecting malicious HTML, leading to a cross-site scripting vulnerability under certain circumstances. The PHP functions which Drupal provides for HTML escaping are not affected.
Credit: mlhess@drupal.org mlhess@drupal.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/drupal/core | >=8.0<8.1.0>=8.1.0<8.2.0>=8.2.0<8.3.0>=8.3.0<8.4.0>=8.4.0<8.4.5 | |
| composer/drupal/drupal | >=8.0<8.1.0>=8.1.0<8.2.0>=8.2.0<8.3.0>=8.3.0<8.4.0>=8.4.0<8.4.5 | |
| Drupal Drupal | >=7.0<7.57 | |
| Drupal Drupal | >=8.4.0<8.4.5 | |
| Debian Debian Linux | =7.0 | |
| Debian Debian Linux | =8.0 | |
| Debian Debian Linux | =9.0 | |
| debian/drupal7 | ||
| debian/drupal7 | <=7.32-1<=7.56-1 | 7.57-1 7.52-2+deb9u2 7.32-1+deb8u10 |
| composer/drupal/drupal | >=7.0<7.57 | 7.57 |
| composer/drupal/drupal | >=8.4.0<8.4.5 | 8.4.5 |
| composer/drupal/core | >=7.0<7.57 | 7.57 |
| composer/drupal/core | >=8.4.0<8.4.5 | 8.4.5 |
| >=7.0<7.57 | ||
| >=8.4.0<8.4.5 | ||
| =7.0 | ||
| =8.0 | ||
| =9.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.drupal.org/SA-CORE-2018-001
- http://www.securityfocus.com/bid/103138
- https://lists.debian.org/debian-lts-announce/2018/02/msg00030.html
- https://www.debian.org/security/2018/dsa-4123
- https://www.drupal.org/sa-core-2018-001
- https://security-tracker.debian.org/tracker/CVE-2017-6927
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=891150
- https://nvd.nist.gov/vuln/detail/CVE-2017-6927
- https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2017-6927.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2017-6927.yaml
- https://github.com/advisories/GHSA-585j-5449-mf5m (Advisory)
- collector/friends-of-php
- collector/nvd-index
- collector/security-tracker-debian
- collector/debian-bugs
- alias/CVE-2017-6927
- agent/type
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-585j-5449-mf5m
- agent/software-canonical-lookup
- agent/weakness
- agent/last-modified-date
- agent/severity
- agent/references
- agent/description
- agent/author
- agent/softwarecombine
- agent/event
- collector/nvd-cve
- source/NVD
- collector/github-advisory
- agent/tags
- collector/mitre-cve
- source/MITRE
- package-manager/composer
- vendor/drupal
- canonical/drupal drupal
- version/drupal drupal/7.0
- version/drupal drupal/8.4.0
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/7.0
- version/debian debian linux/8.0
- version/debian debian linux/9.0
- package-manager/debian