The jQuery project released version 3.5.0, and as part of that, disclosed two security vulnerabilities that affect all prior versions. As mentioned in the jQuery blog, both are
[...] security issues in jQuery’s DOM manipulation methods, as in
.append(), and the others. Security advisories for both of these issues have been published on GitHub.
Those advisories are:
These vulnerabilities may be exploitable on some Drupal sites. This Drupal security release backports the fixes to the relevant jQuery functions, without making any other changes to the jQuery version that is included in Drupal core or running on the site via some other module such as jQuery Update. It is not necessary to update jquery_update on Drupal 7 sites that have the module installed.
If you find a regression caused by the jQuery changes, please report it in Drupal core's issue queue (or that of the relevant contrib project). However, if you believe you have found a security issue, please report it privately to the Drupal Security Team.
Install the latest version:
- If you are using Drupal 8.8, upgrade to Drupal 8.8.6.
- If you are using Drupal 8.7, upgrade to Drupal 8.7.14.
- If you are using Drupal 7, upgrade to Drupal 7.70.
Versions of Drupal 8 prior to 8.7 are end-of-life and do not receive security coverage. Sites on 8.6 or earlier should update to 8.7.14.
The pre-release Drupal versions (8.9 and 9.0) have been updated jQuery to version 3.5.1 as of 8.9.0-beta3 and 9.0.0-beta3.
- Drew Webber of the Drupal Security Team
- Sally Young
- cilefen of the Drupal Security Team
- Jess of the Drupal Security Team
- Emerson Jair Reis Oliveira da Silva
- Lee Rowlands of the Drupal Security Team
- Alex Bronstein of the Drupal Security Team
- Ben Mullins
- Lauri Eskola
- Peter Weber
- Samuel Mortenson of the Drupal Security Team