View online: https://www.drupal.org/sa-contrib-2024-009
Project: CKEditor 4 LTS - WYSIWYG HTML editor [1] Date: 2024-February-14 Security risk: *Moderately critical* 12∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2] Vulnerability: Cross Site Scripting
Affected versions: >=1.0.0 <1.0.1 Description: The CKEditor 4 LTS - WYSIWYG HTML editor module uses the CKEditor library for WYSIWYG editing. CKEditor has released a security update [3] that on certain configurations may impact the Drupal module that bundles and integrates this code.
The vulnerability is mitigated by the fact it requires:
1) full-page editing [4] mode is enabled 2) or CDATA elements in Advanced Content Filtering configuration (defaults to script and style elements) are enabled. 3) An attacker must have a permission with access to the CKEditor instance.
For more information, see CKEditor's security advisory: CVE-2024-24815 [5]: Cross-site scripting (XSS) vulnerability caused by incorrect CDATA detection
Solution: Install the latest version:
* If you use the CKEditor 4 LTS - WYSIWYG HTML editor module for Drupal 9.4+, upgrade to ckeditor_lts 1.0.1 [6]
Reported By: * cilefen [7] of the Drupal Security Team * Juraj Nemec [8] of the Drupal Security Team
Fixed By: * Wojciech Kukowski [9] * Jacek Bogdański [10] * Dawid [11]
Coordinated By: * Greg Knaddison [12] of the Drupal Security Team * catch [13] of the Drupal Security Team
[1] https://www.drupal.org/project/ckeditor_lts [2] https://www.drupal.org/security-team/risk-levels [3] https://ckeditor.com/cke4/release/CKEditor-4.24.0-LTS [4] https://ckeditor.com/docs/ckeditor4/latest/features/fullpage.html [5] https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-fq6h-4g8v-qqv... [6] https://www.drupal.org/project/ckeditor_lts/releases/1.0.1 [7] https://www.drupal.org/user/1850070 [8] https://www.drupal.org/user/272316 [9] https://www.drupal.org/user/3104645 [10] https://www.drupal.org/user/3683355 [11] https://www.drupal.org/user/3741013 [12] https://www.drupal.org/user/36762 [13] https://www.drupal.org/user/35733