Vulnerability Description
Drupal 8.4.x versions before 8.4.5 and Drupal 7.x versions before 7.57 has a Drupal.checkPlain() JavaScript function which is used to escape potentially dangerous text before outputting it to HTML (as JavaScript output does not typically go through Twig autoescaping). This function does not correctly handle all methods of injecting malicious HTML, leading to a cross-site scripting vulnerability under certain circumstances. The PHP functions which Drupal provides for HTML escaping are not affected.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Drupal | Drupal | >= 7.0, < 7.57 |
| Debian | Debian Linux | 7.0 |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/103138Third Party AdvisoryVDB Entry
- https://lists.debian.org/debian-lts-announce/2018/02/msg00030.htmlMailing ListThird Party Advisory
- https://www.debian.org/security/2018/dsa-4123Third Party Advisory
- https://www.drupal.org/sa-core-2018-001Vendor Advisory
- http://www.securityfocus.com/bid/103138Third Party AdvisoryVDB Entry
- https://lists.debian.org/debian-lts-announce/2018/02/msg00030.htmlMailing ListThird Party Advisory
- https://www.debian.org/security/2018/dsa-4123Third Party Advisory
- https://www.drupal.org/sa-core-2018-001Vendor Advisory
FAQ
What is CVE-2017-6927?
CVE-2017-6927 is a vulnerability with a CVSS score of 6.1 (MEDIUM). Drupal 8.4.x versions before 8.4.5 and Drupal 7.x versions before 7.57 has a Drupal.checkPlain() JavaScript function which is used to escape potentially dangerous text before outputting it to HTML (as...
How severe is CVE-2017-6927?
CVE-2017-6927 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-6927?
Check the references section above for vendor advisories and patch information. Affected products include: Drupal Drupal, Debian Debian Linux.