[Security-news] CKEditor - WYSIWYG HTML editor - Moderately critical - Cross site scripting - SA-CONTRIB-2020-007
security-news at drupal.org
security-news at drupal.org
Wed Mar 18 19:57:02 UTC 2020
View online: https://www.drupal.org/sa-contrib-2020-007
Project: CKEditor - WYSIWYG HTML editor [1]
Date: 2020-March-18
Security risk: *Moderately critical* 11∕25
AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2]
Vulnerability: Cross site scripting
Description:
The CKEditor module (and its predecessor, FCKeditor module) allows Drupal to
replace textarea fields with CKEditor 3.x/4.x (FCKeditor 2.x in case of
FCKeditor module) - a visual HTML editor, sometimes called WYSIWYG editor.
Due to the usage of the JavaScript `eval()` function on non-filtered data in
admin section, it was possible for a user with permission to create content
visible in the admin area to inject specially crafted malicious script which
causes Cross Site Scripting (XSS).
The problem existed in CKEditor module for Drupal, not in JavaScript
libraries with the same names.
Solution:
Install the latest version:
* If you use the CKEditor module for Drupal 7.x, upgrade to CKEditor
7.x-1.19 [3]
Also see the CKEditor- WYSIWYG HTML editor [4] project page
Reported By:
* Yonatan Offek [5]
Fixed By:
* Robert Mikołajuk [6]
Coordinated By:
* Greg Knaddison [7] of the Drupal Security Team
[1] https://www.drupal.org/project/ckeditor
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/ckeditor/releases/7.x-1.19
[4] https://www.drupal.org/project/ckeditor
[5] https://www.drupal.org/user/194009
[6] https://www.drupal.org/user/2793801
[7] https://www.drupal.org/user/36762
More information about the Security-news
mailing list