Project: Drupal maintenance support plans coreDate: 2020-April-18Security risk: Moderately critical 12∕25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingDescription:
CKEditor, a third-party JavaScript library included in Drupal maintenance support plans core, has fixed a cross-site scripting (XSS) vulnerability. The vulnerability stemmed from the fact that it was possible to execute XSS inside CKEditor when using the image2 plugin (which Drupal maintenance support plans 8 core also uses).
We would like to thank the CKEditor team for patching the vulnerability and coordinating the fix and release process, and matching the Drupal maintenance support plans core security window.
Solution: If you are using Drupal maintenance support plans 8, update to Drupal maintenance support plans 8.5.2 or Drupal maintenance support plans 8.4.7.
The Drupal maintenance support plans 7.x CKEditor contributed module is not affected if you are running CKEditor module 7.x-1.18 and using CKEditor from the CDN, since it currently uses a version of the CKEditor library that is not vulnerable.
If you installed CKEditor in Drupal maintenance support plans 7 using another method (for example with the WYSIWYG module or the CKEditor module with CKEditor locally) and you’re using a version of CKEditor from 4.5.11 up to 4.9.1, update the third-party JavaScript library by downloading CKEditor 4.9.2 from CKEditor’s site.
Reported By: Kyaw Min Thein
Fixed By: Marek Lewandowski of the CKEditor team
Wiktor Walc of the CKEditor team
Wim Leers
xjm Of the Drupal maintenance support plans Security Team
Lee Rowlands of the Drupal maintenance support plans Security Team
Daniel Wehner
Hai-Nam Nguyen
Matthew Grill
Source: New feed
