Drupal has released security updates to address cross-site scripting (XSS) and Open Redirect vulnerabilities affecting Drupal 7, 8.7, and 8.8.
A remote attacker could exploit these vulnerabilities to compromise an affected system.
In the first security advisory SA-CORE-2020-002, Drupal patched two XSS security vulnerabilities in jQuery’s DOM manipulation methods, as in .html(), .append(), and the others.
The XSS vulnerabilities (CVE-2020-11022 and CVE-2020-11023) affect all versions of Drupal.
In the second advisory SA-CORE-2020-003, Drupal patched an Open Redirect vulnerability. This issue is caused by insufficient validation of the destination query parameter in the drupal_goto() function.
The Open Direct vulnerability impacted Drupal 7 versions.