[Security-news] Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2018-003

security-news at drupal.org security-news at drupal.org
Wed Apr 18 18:52:35 UTC 2018


View online: https://www.drupal.org/sa-core-2018-003

Project: Drupal core [1]
Date: 2018-April-18
Security risk: *Moderately critical* 12∕25
AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Cross Site Scripting

Description: 
CKEditor, a third-party JavaScript library included in Drupal core, has fixed
a cross-site scripting (XSS) vulnerability [3].  The vulnerability stemmed
from the fact that it was possible to execute XSS inside CKEditor when using
the image2 plugin (which Drupal 8 core also uses).

We would like to thank the CKEditor team for patching the vulnerability and
coordinating the fix and release process, and matching the Drupal core
security window.

Solution: 
   * If you are using Drupal 8, update to Drupal 8.5.2 [4] or Drupal 8.4.7 
[5].
   * The Drupal 7.x CKEditor contributed module [6] is not affected if you are
     running CKEditor module 7.x-1.18 and using CKEditor from the CDN, since 
it
     currently uses a version of the CKEditor library that is not vulnerable.
   * If you installed CKEditor in Drupal 7 using another method (for example
     with the WYSIWYG [7] module or the CKEditor module with CKEditor locally)
     and you’re using a version of CKEditor from 4.5.11 up to 4.9.1, update
     the third-party JavaScript library by downloading CKEditor 4.9.2 from
     CKEditor's site [8].

Reported By: 
   * Kyaw Min Thein  [9]

Fixed By: 
   * Marek Lewandowski	 [10] of the CKEditor team
   * Wiktor Walc [11] of the CKEditor team
   * Wim Leers [12]
   * xjm  [13] Of the Drupal Security Team
   * Lee Rowlands  [14] of the Drupal Security Team
   * Daniel Wehner [15]
   * Hai-Nam Nguyen [16]
   * Matthew Grill [17]


[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://ckeditor.com/blog/CKEditor-4.9.2-with-a-security-patch-released/
[4] https://www.drupal.org/project/drupal/releases/8.5.2
[5] https://www.drupal.org/project/drupal/releases/8.4.7
[6] https://www.drupal.org/project/ckeditor
[7] https://www.drupal.org/project/wysiwygw
[8] https://ckeditor.com/ckeditor-4/download/
[9] https://www.drupal.org/user/3560461
[10] https://www.drupal.org/user/3339830
[11] https://www.drupal.org/user/184556
[12] https://www.drupal.org/u/wim-leers
[13] https://www.drupal.org/u/xjm
[14] https://www.drupal.org/user/395439
[15] https://www.drupal.org/user/99340
[16] https://www.drupal.org/user/210762
[17] https://www.drupal.org/user/1602706



More information about the Security-news mailing list