CVE-2017-6927: XSS
First published: Tue Feb 20 2018(Updated: )
Drupal 8.4.x versions before 8.4.5 and Drupal 7.x versions before 7.57 has a Drupal.checkPlain() JavaScript function which is used to escape potentially dangerous text before outputting it to HTML (as JavaScript output does not typically go through Twig autoescaping). This function does not correctly handle all methods of injecting malicious HTML, leading to a cross-site scripting vulnerability under certain circumstances. The PHP functions which Drupal provides for HTML escaping are not affected.
Credit: mlhess@drupal.org mlhess@drupal.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/drupal/core | >=8.0<8.1.0>=8.1.0<8.2.0>=8.2.0<8.3.0>=8.3.0<8.4.0>=8.4.0<8.4.5 | |
| composer/drupal/drupal | >=8.0<8.1.0>=8.1.0<8.2.0>=8.2.0<8.3.0>=8.3.0<8.4.0>=8.4.0<8.4.5 | |
| debian/drupal7 | ||
| debian/drupal7 | <=7.32-1<=7.56-1 | 7.57-1 7.52-2+deb9u2 7.32-1+deb8u10 |
| composer/drupal/drupal | >=7.0<7.57 | 7.57 |
| composer/drupal/drupal | >=8.4.0<8.4.5 | 8.4.5 |
| composer/drupal/core | >=7.0<7.57 | 7.57 |
| composer/drupal/core | >=8.4.0<8.4.5 | 8.4.5 |
| Drupal | >=7.0<7.57 | |
| Drupal | >=8.4.0<8.4.5 | |
| Debian Linux | =7.0 | |
| Debian Linux | =8.0 | |
| Debian Linux | =9.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.drupal.org/SA-CORE-2018-001
- http://www.securityfocus.com/bid/103138
- https://lists.debian.org/debian-lts-announce/2018/02/msg00030.html
- https://www.debian.org/security/2018/dsa-4123
- https://www.drupal.org/sa-core-2018-001
- https://security-tracker.debian.org/tracker/CVE-2017-6927
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=891150
- https://nvd.nist.gov/vuln/detail/CVE-2017-6927
- https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2017-6927.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2017-6927.yaml
- https://github.com/advisories/GHSA-585j-5449-mf5m (Advisory)
Frequently Asked Questions
What is the severity of CVE-2017-6927?
CVE-2017-6927 has a moderate severity level that could lead to potential cross-site scripting vulnerabilities.
How do I fix CVE-2017-6927?
To fix CVE-2017-6927, upgrade your Drupal installation to version 7.57 or 8.4.5 or later.
Which versions of Drupal are affected by CVE-2017-6927?
CVE-2017-6927 affects Drupal versions 8.4.x prior to 8.4.5 and 7.x prior to 7.57.
What kind of vulnerability is CVE-2017-6927?
CVE-2017-6927 is a cross-site scripting (XSS) vulnerability due to improper handling of JavaScript output.
Is CVE-2017-6927 a critical vulnerability?
No, CVE-2017-6927 is considered a moderate vulnerability rather than critical.
- collector/friends-of-php
- collector/security-tracker-debian
- collector/debian-bugs
- alias/CVE-2017-6927
- agent/type
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-585j-5449-mf5m
- agent/software-canonical-lookup
- agent/weakness
- agent/severity
- agent/references
- agent/description
- agent/author
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/trending
- agent/source
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- package-manager/composer
- package-manager/debian
- vendor/drupal
- canonical/drupal
- version/drupal/7.0
- version/drupal/8.4.0
- vendor/debian
- canonical/debian linux
- version/debian linux/7.0
- version/debian linux/8.0
- version/debian linux/9.0