Drupal core 11.2 and above integrate the HTMX JavaScript library.
Drupal core's XSS filter does not sufficiently sanitize certain HTMX attributes, which can lead to a cross-site scripting (XSS) vulnerability.
The vulnerability is mitigated by the fact an attacker must be able to insert HTML with specific attributes.
Install the latest version:
Drupal 11
- If you use Drupal 11.4.x, update to Drupal 11.4.4.
- If you use Drupal 11.3.x, update to Drupal 11.3.14.
- Drupal 11.2.x and below are end-of-life and do not receive security coverage.
Drupal 10
- Drupal 10 core is not affected. However, certain contributed modules may be affected, so a Drupal 10.6 fix is included as hardening.
- Pierre Rudloff (prudloff) of the Drupal Security Team
- Shawn Duncan (fathershawn)
- Pierre Rudloff (prudloff) of the Drupal Security Team
- catch (catch) of the Drupal Security Team
- Lee Rowlands (larowlan) of the Drupal Security Team
- Dave Long (longwave) of the Drupal Security Team
- Jess (xjm) of the Drupal Security Team