[Security-news] CKEditor 4 LTS - WYSIWYG HTML editor - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-009
security-news at drupal.org
security-news at drupal.org
Wed Feb 14 20:08:09 UTC 2024
View online: https://www.drupal.org/sa-contrib-2024-009
Project: CKEditor 4 LTS - WYSIWYG HTML editor [1]
Date: 2024-February-14
Security risk: *Moderately critical* 12∕25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2]
Vulnerability: Cross Site Scripting
Affected versions: >=1.0.0 <1.0.1
Description:
The CKEditor 4 LTS - WYSIWYG HTML editor module uses the CKEditor library for
WYSIWYG editing. CKEditor has released a security update [3] that on certain
configurations may impact the Drupal module that bundles and integrates this
code.
The vulnerability is mitigated by the fact it requires:
1) full-page editing [4] mode is enabled
2) or CDATA elements in Advanced Content Filtering configuration (defaults
to script and style elements) are enabled.
3) An attacker must have a permission with access to the CKEditor instance.
For more information, see CKEditor's security advisory:
CVE-2024-24815 [5]: Cross-site scripting (XSS) vulnerability caused by
incorrect CDATA detection
Solution:
Install the latest version:
* If you use the CKEditor 4 LTS - WYSIWYG HTML editor module for Drupal
9.4+, upgrade to ckeditor_lts 1.0.1 [6]
Reported By:
* cilefen [7] of the Drupal Security Team
* Juraj Nemec [8] of the Drupal Security Team
Fixed By:
* Wojciech Kukowski [9]
* Jacek Bogdański [10]
* Dawid [11]
Coordinated By:
* Greg Knaddison [12] of the Drupal Security Team
* catch [13] of the Drupal Security Team
[1] https://www.drupal.org/project/ckeditor_lts
[2] https://www.drupal.org/security-team/risk-levels
[3] https://ckeditor.com/cke4/release/CKEditor-4.24.0-LTS
[4] https://ckeditor.com/docs/ckeditor4/latest/features/fullpage.html
[5]
https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-fq6h-4g8v-qqvm
[6] https://www.drupal.org/project/ckeditor_lts/releases/1.0.1
[7] https://www.drupal.org/user/1850070
[8] https://www.drupal.org/user/272316
[9] https://www.drupal.org/user/3104645
[10] https://www.drupal.org/user/3683355
[11] https://www.drupal.org/user/3741013
[12] https://www.drupal.org/user/36762
[13] https://www.drupal.org/user/35733
More information about the Security-news
mailing list