View online: https://www.drupal.org/sa-contrib-2021-026
Project: Webform [1] Date: 2021-August-25 Security risk: *Moderately critical* 12∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2] Vulnerability: Cross Site Scripting
Description: The Webform module uses the CKEditor [3], library for WYSIWYG editing. CKEditor has released a security update that impacts Webform [4].
An attacker that can create or edit content (even without access to CKEditor themselves) may be able to exploit one or more Cross-Site Scripting (XSS) vulnerabilities to target users with access to the WYSIWYG CKEditor, including site admins with privileged access.
For more information, see CKEditor's announcement of the release [5].
Solution: Install the latest version:
* If you use the Webform module module for Drupal 8/9 upgrade to Webform 8.x-5.28 [6] or Webform 6.0.5 [7]
If you are using a previous release of the Webform module you can immediately do one of several options.
1) Update Drupal 2) If you are using Composer, run drush webform:libraries:composer > DRUPAL_ROOT/composer.libraries.json and run composer update 3) If you are using Drush, run drush webform:libraries:update
Learn more about updating Webform libraries. [8]
Reported By: * Lee Rowlands [9] of the Drupal Security Team
Fixed By: * Jacob Rockowitz [10]
Coordinated By: * Greg Knaddison [11] of the Drupal Security Team * xjm [12] of the Drupal Security Team
[1] https://www.drupal.org/project/webform [2] https://www.drupal.org/security-team/risk-levels [3] https://github.com/ckeditor/ckeditor4 [4] https://ckeditor.com/blog/ckeditor-4.16.2-with-browser-improvements-and-secu... [5] https://ckeditor.com/blog/ckeditor-4.16.2-with-browser-improvements-and-secu... [6] https://www.drupal.org/project/webform/releases/8.x-5.28 [7] https://www.drupal.org/project/webform/releases/6.0.5 [8] https://www.drupal.org/docs/contributed-modules/webform/webform-libraries [9] https://www.drupal.org/user/395439 [10] https://www.drupal.org/user/371407 [11] https://www.drupal.org/user/36762 [12] https://www.drupal.org/user/65776