View online: https://www.drupal.org/sa-contrib-2020-007

Project: CKEditor - WYSIWYG HTML editor [1] Date: 2020-March-18 Security risk: *Moderately critical* 11∕25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2] Vulnerability: Cross site scripting

Description:  The CKEditor module (and its predecessor, FCKeditor module) allows Drupal to replace textarea fields with CKEditor 3.x/4.x (FCKeditor 2.x in case of FCKeditor module) - a visual HTML editor, sometimes called WYSIWYG editor.

Due to the usage of the JavaScript `eval()` function on non-filtered data in admin section, it was possible for a user with permission to create content visible in the admin area to inject specially crafted malicious script which causes Cross Site Scripting (XSS).

The problem existed in CKEditor module for Drupal, not in JavaScript libraries with the same names.

Solution:  Install the latest version:

* If you use the CKEditor module for Drupal 7.x, upgrade to CKEditor 7.x-1.19 [3]

Also see the CKEditor- WYSIWYG HTML editor [4] project page

Reported By:  * Yonatan Offek [5]

Fixed By:  * Robert Mikołajuk [6]

Coordinated By:  * Greg Knaddison [7] of the Drupal Security Team

[1] https://www.drupal.org/project/ckeditor [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/ckeditor/releases/7.x-1.19 [4] https://www.drupal.org/project/ckeditor [5] https://www.drupal.org/user/194009 [6] https://www.drupal.org/user/2793801 [7] https://www.drupal.org/user/36762