Critical 15∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Default
Drupal 8 and 9 have a reflected cross-site scripting (XSS) vulnerability under certain circumstances.
An attacker could leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability.
Install the latest version:
Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage. Sites on 8.7.x or earlier should update to 8.8.10.
In addition to updating Drupal core, sites that override
buildFormAction() methods in contrib and/or custom code should ensure that appropriate sanitization is applied for URLs.