View online: https://www.drupal.org/sa-contrib-2022-003
Project: Wysiwyg [1] Date: 2022-January-05 Security risk: *Moderately critical* 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Cross site scripting
Description: This module enables you to integrate various What-You-See-Is-What-You-Get (WYSIWYG) rich text editors into Drupal fields with text formats allowing markup for easier editing.
The module doesn't sufficiently sanitize user input before attaching a WYSIWYG editor to an input field such as a textarea. If the editor used has an XSS vulnerability this would allow for example a commenter to put specially crafted markup which could trigger the vulnerability when viewed in the editor by an administrator.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create content using a text format with an attached and XSS vulnerable rich text editor.
Solution: Install the latest version:
* If you use the Wysiwyg module for Drupal 7.x, upgrade to WYSIWYG 7.x-2.9 [3]
After upgrading verify that text formats which have a WYSIWYG editor profile also uses a text filter, such as Core's "Limit allowed HTML tags", if accessible by untrusted users. A list of known compatible input filters that will be applied is shown when configuring a WYSIWYG editor profile along with a status indicator.
It is recommended to always be using the latest stable version of any installed editor libraries.
Reported By: * r0ng [4]
Fixed By: * Daniel Kudwien [5] * Henrik Danielsson [6] * r0ng [7] * Wim Leers [8] * Mori Sugimoto [9] of the Drupal Security Team * Damien McKenna [10] of the Drupal Security Team
Coordinated By: * Greg Knaddison [11] of the Drupal Security Team * Damien McKenna [12] of the Drupal Security Team * Chris [13] of the Drupal Security Team
[1] https://www.drupal.org/project/wysiwyg [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/wysiwyg/releases/7.x-2.9 [4] https://www.drupal.org/user/2462440 [5] https://www.drupal.org/user/54136 [6] https://www.drupal.org/user/244227 [7] https://www.drupal.org/user/2462440 [8] https://www.drupal.org/user/99777 [9] https://www.drupal.org/user/82971 [10] https://www.drupal.org/user/108450 [11] https://www.drupal.org/user/36762 [12] https://www.drupal.org/user/108450 [13] https://www.drupal.org/user/1850070