View online: https://www.drupal.org/node/2357029
* Advisory ID: DRUPAL-SA-CONTRIB-2014-098 * Project: CKEditor - WYSIWYG HTML editor [1] (third-party module) * Version: 6.x, 7.x * Date: 2014-October-15 * Security risk: 16/25 ( Critical) AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2] * Vulnerability: Cross Site Scripting
-------- DESCRIPTION ---------------------------------------------------------
The CKEditor module (and its predecessor, FCKeditor module) allows Drupal to replace textarea fields with CKEditor 3.x/4.x (FCKeditor 2.x in case of FCKeditor module) - a visual HTML editor, sometimes called WYSIWYG editor.
Both modules define a function, called via an ajax request, that filters text before passing it into the editor, to prevent certain cross site scripting attacks on content edits (that the JavaScript library might not handle). Because the function did not check a CSRF token for anonymous users, it was possible to perform reflected XSS against anonymous users via CSRF.
The problem existed in CKEditor/FCKeditor modules for Drupal, not in JavaScript libraries with the same names.
-------- CVE IDENTIFIER(S) ISSUED --------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED ---------------------------------------------------
* CKEditor 7.x-1.x versions prior to 7.x-1.15. * CKEditor 6.x-1.x versions prior to 6.x-1.14. * FCKeditor 6.x-2.x versions prior to 6.x-2.3.
Drupal core is not affected. If you do not use the contributed CKEditor - WYSIWYG HTML editor [4] module, there is nothing you need to do.
-------- SOLUTION ------------------------------------------------------------
Install the latest version:
* If you use the CKEditor module for Drupal 7.x, upgrade to CKEditor 7.x-1.16 [5] * If you use the CKEditor module for Drupal 6.x, upgrade to CKEditor 6.x-1.15 [6] * If you use the FCKeditor module for Drupal 6.x, upgrade to FCKeditor 6.x-2.4 [7]
Also see the CKEditor - WYSIWYG HTML editor [8] project page.
-------- REPORTED BY ---------------------------------------------------------
* Antonio Sánchez [9]
-------- FIXED BY ------------------------------------------------------------
* Wiktor Walc [10] the module maintainer * Nguyễn Hải Nam [11] the module maintainer * Matt Vance [12] of the Drupal Security Team
-------- COORDINATED BY ------------------------------------------------------
* Greg Knaddison [13] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION ----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [14].
Learn more about the Drupal Security team and their policies [15], writing secure code for Drupal [16], and securing your site [17].
[1] https://www.drupal.org/project/ckeditor [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/ckeditor [5] https://www.drupal.org/node/2356563 [6] https://www.drupal.org/node/2356565 [7] https://www.drupal.org/node/2356557 [8] https://www.drupal.org/project/ckeditor [9] https://www.drupal.org/user/2957675 [10] https://www.drupal.org/u/wwalc [11] https://www.drupal.org/u/jcisio [12] https://www.drupal.org/u/matt-v. [13] https://www.drupal.org/u/greggles [14] https://www.drupal.org/contact [15] https://www.drupal.org/security-team [16] https://www.drupal.org/writing-secure-code [17] https://www.drupal.org/security/secure-configuration