[Security-news] Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2018-003
security-news at drupal.org
security-news at drupal.org
Wed Apr 18 18:52:35 UTC 2018
View online: https://www.drupal.org/sa-core-2018-003
Project: Drupal core [1]
Date: 2018-April-18
Security risk: *Moderately critical* 12∕25
AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Cross Site Scripting
Description:
CKEditor, a third-party JavaScript library included in Drupal core, has fixed
a cross-site scripting (XSS) vulnerability [3]. The vulnerability stemmed
from the fact that it was possible to execute XSS inside CKEditor when using
the image2 plugin (which Drupal 8 core also uses).
We would like to thank the CKEditor team for patching the vulnerability and
coordinating the fix and release process, and matching the Drupal core
security window.
Solution:
* If you are using Drupal 8, update to Drupal 8.5.2 [4] or Drupal 8.4.7
[5].
* The Drupal 7.x CKEditor contributed module [6] is not affected if you are
running CKEditor module 7.x-1.18 and using CKEditor from the CDN, since
it
currently uses a version of the CKEditor library that is not vulnerable.
* If you installed CKEditor in Drupal 7 using another method (for example
with the WYSIWYG [7] module or the CKEditor module with CKEditor locally)
and you’re using a version of CKEditor from 4.5.11 up to 4.9.1, update
the third-party JavaScript library by downloading CKEditor 4.9.2 from
CKEditor's site [8].
Reported By:
* Kyaw Min Thein [9]
Fixed By:
* Marek Lewandowski [10] of the CKEditor team
* Wiktor Walc [11] of the CKEditor team
* Wim Leers [12]
* xjm [13] Of the Drupal Security Team
* Lee Rowlands [14] of the Drupal Security Team
* Daniel Wehner [15]
* Hai-Nam Nguyen [16]
* Matthew Grill [17]
[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://ckeditor.com/blog/CKEditor-4.9.2-with-a-security-patch-released/
[4] https://www.drupal.org/project/drupal/releases/8.5.2
[5] https://www.drupal.org/project/drupal/releases/8.4.7
[6] https://www.drupal.org/project/ckeditor
[7] https://www.drupal.org/project/wysiwygw
[8] https://ckeditor.com/ckeditor-4/download/
[9] https://www.drupal.org/user/3560461
[10] https://www.drupal.org/user/3339830
[11] https://www.drupal.org/user/184556
[12] https://www.drupal.org/u/wim-leers
[13] https://www.drupal.org/u/xjm
[14] https://www.drupal.org/user/395439
[15] https://www.drupal.org/user/99340
[16] https://www.drupal.org/user/210762
[17] https://www.drupal.org/user/1602706
More information about the Security-news
mailing list