The Drupal core Media module allows embedding internal and external media in content fields. In certain circumstances, the filter could allow an unprivileged user to inject HTML into a page when it is accessed by a trusted user with permission to embed media. In some cases, this could lead to cross-site scripting.
This advisory is not covered by Drupal Steward.
Also see Entity Embed - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2021-028 which addresses a similar vulnerability for that module.
Updated 18:15 UTC to clarify text.
Install the latest version:
- If you are using Drupal 9.2, update to Drupal 9.2.6.
- If you are using Drupal 9.1, update to Drupal 9.1.13.
- If you are using Drupal 8.9, update to Drupal 8.9.19.
Versions of Drupal 8 prior to 8.9.x and versions of Drupal 9 prior to 9.1.x are end-of-life and do not receive security coverage.
Drupal 7 core is not affected.
- Aaron Zinck
- Sean Blommaert
- Alex Bronstein of the Drupal Security Team
- Marcos Cano
- Lee Rowlands of the Drupal Security Team
- Adam G-H
- xjm of the Drupal Security Team
- Drew Webber of the Drupal Security Team
- Neil Drumm of the Drupal Security Team
- Brian Tofte-Schumacher