CVE-2017-6927
Description
Drupal 8.4.x before 8.4.5 and 7.x before 7.57 contain a cross-site scripting vulnerability in the Drupal.checkPlain() JavaScript function due to incomplete HTML escaping.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Drupal 8.4.x before 8.4.5 and 7.x before 7.57 contain a cross-site scripting vulnerability in the Drupal.checkPlain() JavaScript function due to incomplete HTML escaping.
Vulnerability
The Drupal.checkPlain() JavaScript function, used to escape potentially dangerous text before outputting to HTML in Drupal 8.4.x before 8.4.5 and Drupal 7.x before 7.57, does not correctly handle all methods of injecting malicious HTML. This leads to a cross-site scripting (XSS) vulnerability when the function is used to output user-supplied data via JavaScript, as JavaScript output does not go through Twig autoescaping [2]. The PHP escaping functions are unaffected [3].
Exploitation
An attacker must be able to inject malicious HTML into a context where Drupal.checkPlain() is used to escape text before output. This can occur when user-contributed content, such as comments or form fields, is rendered via JavaScript. The attacker does not need authentication if such input points are accessible to anonymous users; however, some scenarios may require a role with permissions to post comments or similar [3]. Exploitation involves crafting a payload that bypasses the incomplete escaping to execute arbitrary JavaScript in the victim's browser [2].
Impact
Successful exploitation allows an attacker to inject arbitrary HTML and JavaScript, leading to cross-site scripting. This can result in session hijacking, cookie theft, defacement, or redirection to malicious sites, compromising the confidentiality and integrity of the affected Drupal site and its users [2][3].
Mitigation
Drupal core has released patches: upgrade to Drupal 7.57 or Drupal 8.4.5, depending on the affected version. The fix addresses the incomplete HTML escaping in Drupal.checkPlain(). No known workarounds are available for unpatched versions [3].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
drupal/corePackagist | >= 8.4.0, < 8.4.5 | 8.4.5 |
drupal/corePackagist | >= 7.0, < 7.57 | 7.57 |
drupal/drupalPackagist | >= 8.4.0, < 8.4.5 | 8.4.5 |
drupal/drupalPackagist | >= 7.0, < 7.57 | 7.57 |
Affected products
3- ghsa-coords2 versions
>= 8.4.0, < 8.4.5+ 1 more
- (no CPE)range: >= 8.4.0, < 8.4.5
- (no CPE)range: >= 8.4.0, < 8.4.5
- Range: 8.4.x versions before 8.4.5 and Drupal 7.x versions before 7.57
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- github.com/advisories/GHSA-585j-5449-mf5mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-6927ghsaADVISORY
- www.debian.org/security/2018/dsa-4123ghsavendor-advisoryx_refsource_DEBIANWEB
- www.securityfocus.com/bid/103138ghsavdb-entryx_refsource_BIDWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2017-6927.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2017-6927.yamlghsaWEB
- lists.debian.org/debian-lts-announce/2018/02/msg00030.htmlghsamailing-listx_refsource_MLISTWEB
- www.drupal.org/sa-core-2018-001ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.