The security team of the open source project Drupal has published today, September 16, several security bulletins for the project core in its versions 7, 8 and 9. The security bulletins are the product of the great work that the project does to maintain good security practices. As always, the recommendation is to update to the most recent version.
In total there are four bulletins that we are going to describe below to give you a better idea of what each of them covers.
SA-CORE-2020-007
Security Risk: Moderately critical on a scale of 14 out of 25 , according to the rating received, access to the vulnerability is basic, the user only has to follow a few steps, however it can only be done by certain authenticated users who have basic levels of access, if access is achieved some non-public data could be accessed and modified. To date there are no known exploits for this vulnerability, keep in mind that if the vulnerability is successfully exploited many configurations are exposed.
Affected versions: 7, 8 and 9
Type of vulnerability: Cross Site Scripting , this is a well-known type of vulnerability in web applications where an attacker can inject similar code into the target web page to access information, commonly through forms or in server-side languages.
Description : JSONP is a Javascript technique that allows you to request data using the tag