The Drupal AJAX API does not disable JSONP by default, which can lead to cross-site scripting.
Install the latest version:
- If you are using Drupal 7.x, upgrade to Drupal 7.73.
- If you are using Drupal 8.8.x, upgrade to Drupal 8.8.10.
- If you are using Drupal 8.9.x, upgrade to Drupal 8.9.6.
- If you are using Drupal 9.0.x, upgrade to Drupal 9.0.6.
Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage. Sites on 8.7.x or earlier should update to 8.8.10.
If you were previously relying on Drupal's AJAX API to perform trusted JSONP requests, you'll either need to override the AJAX options to set
"jsonp: true", or you'll need to use the jQuery AJAX API directly.
If you are using jQuery's AJAX API for user-provided URLs in a contrib or custom module, you should review your code and set
"jsonp: false" where this is appropriate.
Drupal 7 sites should also pass such URLs through the new
The update to Drupal 7 is likely to cause a regression in AJAX functionality on sites which use jQuery 1.5 (for example via the jQuery Update module). This issue seems to specifically affect jQuery 1.5; the version included in Drupal 7 core (1.4.4) and versions 1.6 and later do not suffer from the regression.
- Samuel Mortenson of the Drupal Security Team