[Security-news] Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2021-003
security-news at drupal.org
security-news at drupal.org
Thu May 27 02:51:17 UTC 2021
View online: https://www.drupal.org/sa-core-2021-003
Project: Drupal core [1]
Date: 2021-May-26
Security risk: *Moderately critical* 14∕25
AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:Default [2]
Vulnerability: Cross Site Scripting
Description:
Drupal core uses the third-party CKEditor library. This library has an error
in parsing HTML that could lead to an XSS attack. CKEditor 4.16.1 and later
include the fix.
Users of the CKEditor library via means other than Drupal core should update
their 3rd party code (e.g. the WYSIWYG module for Drupal 7). The Drupal
Security Team policy is not to alert for issues affecting 3rd party libraries
unless those are shipped with Drupal core. See DRUPAL-SA-PSA-2016-004 for
more details [3].
This issue is mitigated by the fact that it only affects sites with CKEditor
enabled.
Solution:
Install the latest version:
* If you are using Drupal 9.1, update to Drupal 9.1.9 [4].
* If you are using Drupal 9.0, update to Drupal 9.0.14 [5].
* If you are using Drupal 8.9, update to Drupal 8.9.16 [6].
Versions of Drupal 8 prior to 8.9.x are end-of-life and do not receive
security coverage.
Reported By:
* Or Sahar [7]
Fixed By:
* Greg Knaddison [8] of the Drupal Security Team
* Jess [9] of the Drupal Security Team
* Krzysztof Krzton [10]
* Lee Rowlands [11] of the Drupal Security Team
* Michael Hess [12] of the Drupal Security Team
[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/psa-2016-004
[4] https://www.drupal.org/project/drupal/releases/9.1.9
[5] https://www.drupal.org/project/drupal/releases/9.0.14
[6] https://www.drupal.org/project/drupal/releases/8.9.16
[7] https://www.drupal.org/user/3676145
[8] https://www.drupal.org/user/36762
[9] https://www.drupal.org/user/65776
[10] https://www.drupal.org/user/3618903
[11] https://www.drupal.org/user/395439
[12] https://www.drupal.org/user/102818
More information about the Security-news
mailing list