Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Project:
Date:
2021-September-15
Vulnerability:
Cross Site Request Forgery
Affected versions:
<1.2.0
CVE IDs:
CVE-2020-13673
Description:
This advisory addresses a similar issue to Drupal core - Moderately critical - Cross Site Request Forgery - SA-CORE-2021-006.
The Entity Embed module provides a filter to allow embedding entities in content fields. In certain circumstances, the filter could allow an unprivileged user to inject HTML into a page when it is accessed by a trusted user with permission to embed entities. In some cases, this could lead to cross-site scripting.
Solution:
Install the latest version:
- If you use the Entity Embed module for Drupal 8 or 9, upgrade to Entity Embed 8.x-1.2.
Drupal 7 versions of Entity Embed do not have a stable release and therefore do not receive security coverage.
Reported By:
Fixed By:
- Jess of the Drupal Security Team
- Adam G-H
- Drew Webber of the Drupal Security Team
Coordinated By:
- xjm of the Drupal Security Team
- Drew Webber of the Drupal Security Team
