drupal security adv

Project: Drupal coreDate: 2025-March-19Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingAffected versions: >= 8.0.0 < 10.3.14 || >= 10.4.0 < 10.4.5 || >= 11.0.0 < 11.0.13 || >= 11.1.0 < 11.1.5Description: 

Drupal core Link field attributes are not sufficiently sanitized, which can lead to a Cross Site Scripting vulnerability (XSS).

This vulnerability is mitigated by that fact that an attacker would need to have the ability to add specific attributes to a Link field, which typically requires edit access via core web services, or a contrib or custom module.

Sites with the Link module disabled or that do not use any link fields are not affected.

Solution: 

Install the latest version:

• If you use Drupal 10.3.x, update to Drupal 10.3.14
• If you use Drupal 10.4.x, update to Drupal 10.4.5
• If you use Drupal 11.0.x, update to Drupal 11.0.13
• If you use Drupal 11.1.x, update to Drupal 11.1.5

All versions of Drupal prior to 10.3 are end-of-life and do not receive security coverage from the Drupal Security Team.

Reported By: 

• Samuel Mortenson (samuel.mortenson)

Fixed By: 

• Benji Fisher (benjifisher) of the Drupal Security Team
• Bram Driesen (bramdriesen) Provisional Member of the Drupal Security Team
• Alex Bronstein (effulgentsia)
• Jen Lampton (jenlampton) Provisional Member of the Drupal Security Team
• Lee Rowlands (larowlan) of the Drupal Security Team
• Dave Long (longwave) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Joseph Zhao (pandaski) Provisional Member of the Drupal Security Team
• Adam G-H (phenaproxima)
• Samuel Mortenson (samuel.mortenson)
• Jess (xjm) of the Drupal Security Team