CVE-2017-6927

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2017-6927
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-6927.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2017-6927
Aliases
Downstream
Published
2018-03-01T23:29:00.297Z
Modified
2026-04-10T04:00:46.068727Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

Drupal 8.4.x versions before 8.4.5 and Drupal 7.x versions before 7.57 has a Drupal.checkPlain() JavaScript function which is used to escape potentially dangerous text before outputting it to HTML (as JavaScript output does not typically go through Twig autoescaping). This function does not correctly handle all methods of injecting malicious HTML, leading to a cross-site scripting vulnerability under certain circumstances. The PHP functions which Drupal provides for HTML escaping are not affected.

References

Affected packages

Git / github.com/drupal/drupal

Affected ranges

Type
GIT
Repo
https://github.com/drupal/drupal
Events
Introduced
497914920385b7016ac9c9367e0198530787adf2
Fixed
bc929eb17c4f4eea83cb796b7c5bbb984bf288bd
Introduced
abfe77673a5a6194ef13600e05f1ca2c5dd59db8
Fixed
3347ff569787d2e659a8c4b5211ea0c76894aa8a
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
497914920385b7016ac9c9367e0198530787adf2
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
35c2f3ca5c935f3d8bde15932a712677c9bbd50f
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
d62812dc17ce593beb2ccd4cdbee1a76c95e3fd7
Database specific 
{
    "versions": [
        {
            "introduced": "7.0"
        },
        {
            "fixed": "7.57"
        },
        {
            "introduced": "8.4.0"
        },
        {
            "fixed": "8.4.5"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "7.0"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "8.0"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "9.0"
        }
    ]
}

Affected versions

7.*
7.0
7.10
7.12
7.14
7.15
7.17
7.22
7.23
7.25
7.28
7.30
7.33
7.36
7.37
7.4
7.40
7.42
7.43
7.50
7.51
7.54
7.55
7.56
7.6
7.7
7.8
7.9
8.*
8.0-alpha10
8.0-alpha11
8.0-alpha12
8.0-alpha13
8.0-alpha2
8.0-alpha3
8.0-alpha4
8.0-alpha5
8.0-alpha6
8.0-alpha7
8.0-alpha8
8.0-alpha9
8.0.0
8.0.0-alpha14
8.0.0-alpha15
8.0.0-beta1
8.0.0-beta10
8.0.0-beta11
8.0.0-beta12
8.0.0-beta13
8.0.0-beta14
8.0.0-beta15
8.0.0-beta16
8.0.0-beta2
8.0.0-beta3
8.0.0-beta4
8.0.0-beta5
8.0.0-beta6
8.0.0-beta7
8.0.0-beta9
8.0.0-rc1
8.0.0-rc2
8.0.0-rc3
8.0.0-rc4
8.1.0-beta1
8.4.0
8.4.1
8.4.3
8.4.4
9.*
9.0.0
9.0.0-alpha1
9.0.0-alpha2
9.0.0-beta1
9.0.0-beta2
9.0.0-beta3
9.0.0-rc1

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-6927.json"