Entity Embed - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2021-028

Project: Entity Embed
Date: 2021-September-15
Security risk: Moderately critical 11∕25
Vulnerability: Cross Site Request Forgery
CVE IDs: CVE-2020-13673

Description

This advisory addresses a similar issue to Drupal core - Moderately critical - Cross Site Request Forgery - SA-CORE-2021-006.

The Entity Embed module provides a filter to allow embedding entities in content fields. In certain circumstances, the filter could allow an unprivileged user to inject HTML into a page when it is accessed by a trusted user with permission to embed entities. In some cases, this could lead to cross-site scripting.

Solution

Install the latest version:

If you use the Entity Embed module for Drupal 8 or 9, upgrade to Entity Embed 8.x-1.2.

Drupal 7 versions of Entity Embed do not have a stable release and therefore do not receive security coverage.