Security News > 2020 > May > XSS, Open Redirect Vulnerabilities Patched in Drupal
The latest Drupal updates patch cross-site scripting and open redirect vulnerabilities, but they have only been assigned "Moderately critical" severity ratings.
Drupal 7.70 fixes an open redirect vulnerability related to "Insufficient validation of the destination query parameter in the drupal goto() function." An attacker can exploit the flaw to redirect users to an arbitrary URL by getting them to click on a specially crafted link, Drupal said in its advisory.
The XSS vulnerabilities also affect Drupal 8.8 and 8.7 - these versions are not impacted by the open redirect issue - and they have been addressed with the release of Drupal 8.8.6 and 8.7.14.
"This Drupal security release backports the fixes to the relevant jQuery functions, without making any other changes to the jQuery version that is included in Drupal core or running on the site via some other module such as jQuery Update. It is not necessary to update jquery update on Drupal 7 sites that have the module installed," Drupal said.
While Drupal is not as targeted as WordPress, hackers have been known to exploit Drupal vulnerabilities to hijack websites.