CVE-2017-6929

Vulnerability

A jQuery cross-site scripting (XSS) vulnerability exists in Drupal when making Ajax requests to untrusted domains [2]. This issue is identified as CVE-2015-9251 in the underlying jQuery library [3]. Drupal 7 versions prior to 7.57 and Drupal 8 versions prior to 8.4.0 are affected. However, the vulnerability requires contributed or custom modules to be exploitable in a Drupal context [2][3].

Exploitation

An attacker needs a Drupal site with a contributed or custom module that makes Ajax requests to untrusted domains [2][3]. No other special network position or authentication is required beyond the module's functionality. The exploitation involves crafting a malicious request that when processed by jQuery's Ajax handling (specifically in jQuery versions 1.4.4 and earlier in Drupal 7 core, and jQuery 2.x in Drupal 8 before 8.4.0), results in the execution of attacker-controlled scripts in the context of the victim's session [3].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser session on the Drupal site. This can lead to information disclosure, session hijacking, or other malicious actions typical of XSS attacks [2][3]. The impact is considered moderately critical [3].

Mitigation

Drupal 7 users should upgrade to version 7.57 or later, which includes a fix for jQuery 1.4.4 (the version shipped with Drupal 7 core). Sites using newer jQuery versions via the jQuery Update module should also apply updates to their jQuery libraries [2][3]. Drupal 8 users who haven't yet upgraded to 8.4.0 should upgrade immediately, as that version includes a jQuery 3 upgrade that fixes this issue [2][3]. The official Drupal security advisory SA-CORE-2018-001 provides further details [3]. No workaround other than upgrading is recommended.