Drupal issues two moderately Critical security advisories

Drupal has released security updates to address cross-site scripting (XSS) and Open Redirect vulnerabilities affecting Drupal 7, 8.7, and 8.8.

A remote attacker could exploit these vulnerabilities to compromise an affected system.

In the first security advisory SA-CORE-2020-002, Drupal patched two XSS security vulnerabilities in jQuery’s DOM manipulation methods, as in .html(), .append(), and the others.

The XSS vulnerabilities (CVE-2020-11022 and CVE-2020-11023) affect all versions of Drupal.

In the second advisory SA-CORE-2020-003, Drupal patched an Open Redirect vulnerability. This issue is caused by insufficient validation of the destination query parameter in the drupal_goto() function.

The Open Direct vulnerability impacted Drupal 7 versions.