View online: https://www.drupal.org/sa-core-2018-003
Project: Drupal core [1] Date: 2018-April-18 Security risk: *Moderately critical* 12∕25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2] Vulnerability: Cross Site Scripting
Description: CKEditor, a third-party JavaScript library included in Drupal core, has fixed a cross-site scripting (XSS) vulnerability [3]. The vulnerability stemmed from the fact that it was possible to execute XSS inside CKEditor when using the image2 plugin (which Drupal 8 core also uses).
We would like to thank the CKEditor team for patching the vulnerability and coordinating the fix and release process, and matching the Drupal core security window.
Solution: * If you are using Drupal 8, update to Drupal 8.5.2 [4] or Drupal 8.4.7 [5]. * The Drupal 7.x CKEditor contributed module [6] is not affected if you are running CKEditor module 7.x-1.18 and using CKEditor from the CDN, since it currently uses a version of the CKEditor library that is not vulnerable. * If you installed CKEditor in Drupal 7 using another method (for example with the WYSIWYG [7] module or the CKEditor module with CKEditor locally) and you’re using a version of CKEditor from 4.5.11 up to 4.9.1, update the third-party JavaScript library by downloading CKEditor 4.9.2 from CKEditor's site [8].
Reported By: * Kyaw Min Thein [9]
Fixed By: * Marek Lewandowski [10] of the CKEditor team * Wiktor Walc [11] of the CKEditor team * Wim Leers [12] * xjm [13] Of the Drupal Security Team * Lee Rowlands [14] of the Drupal Security Team * Daniel Wehner [15] * Hai-Nam Nguyen [16] * Matthew Grill [17]
[1] https://www.drupal.org/project/drupal [2] https://www.drupal.org/security-team/risk-levels [3] https://ckeditor.com/blog/CKEditor-4.9.2-with-a-security-patch-released/ [4] https://www.drupal.org/project/drupal/releases/8.5.2 [5] https://www.drupal.org/project/drupal/releases/8.4.7 [6] https://www.drupal.org/project/ckeditor [7] https://www.drupal.org/project/wysiwygw [8] https://ckeditor.com/ckeditor-4/download/ [9] https://www.drupal.org/user/3560461 [10] https://www.drupal.org/user/3339830 [11] https://www.drupal.org/user/184556 [12] https://www.drupal.org/u/wim-leers [13] https://www.drupal.org/u/xjm [14] https://www.drupal.org/user/395439 [15] https://www.drupal.org/user/99340 [16] https://www.drupal.org/user/210762 [17] https://www.drupal.org/user/1602706