[Security-news] Wysiwyg - Moderately critical - Cross site scripting - SA-CONTRIB-2022-003
security-news at drupal.org
security-news at drupal.org
Wed Jan 5 19:12:26 UTC 2022
View online: https://www.drupal.org/sa-contrib-2022-003
Project: Wysiwyg [1]
Date: 2022-January-05
Security risk: *Moderately critical* 14∕25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross site scripting
Description:
This module enables you to integrate various What-You-See-Is-What-You-Get
(WYSIWYG) rich text editors into Drupal fields with text formats allowing
markup for easier editing.
The module doesn't sufficiently sanitize user input before attaching a
WYSIWYG editor to an input field such as a textarea. If the editor used has
an XSS vulnerability this would allow for example a commenter to put
specially crafted markup which could trigger the vulnerability when viewed in
the editor by an administrator.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission to create content using a text format with an attached
and XSS vulnerable rich text editor.
Solution:
Install the latest version:
* If you use the Wysiwyg module for Drupal 7.x, upgrade to WYSIWYG 7.x-2.9
[3]
After upgrading verify that text formats which have a WYSIWYG editor profile
also uses a text filter, such as Core's "Limit allowed HTML tags", if
accessible by untrusted users.
A list of known compatible input filters that will be applied is shown when
configuring a WYSIWYG editor profile along with a status indicator.
It is recommended to always be using the latest stable version of any
installed editor libraries.
Reported By:
* r0ng [4]
Fixed By:
* Daniel Kudwien [5]
* Henrik Danielsson [6]
* r0ng [7]
* Wim Leers [8]
* Mori Sugimoto [9] of the Drupal Security Team
* Damien McKenna [10] of the Drupal Security Team
Coordinated By:
* Greg Knaddison [11] of the Drupal Security Team
* Damien McKenna [12] of the Drupal Security Team
* Chris [13] of the Drupal Security Team
[1] https://www.drupal.org/project/wysiwyg
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/wysiwyg/releases/7.x-2.9
[4] https://www.drupal.org/user/2462440
[5] https://www.drupal.org/user/54136
[6] https://www.drupal.org/user/244227
[7] https://www.drupal.org/user/2462440
[8] https://www.drupal.org/user/99777
[9] https://www.drupal.org/user/82971
[10] https://www.drupal.org/user/108450
[11] https://www.drupal.org/user/36762
[12] https://www.drupal.org/user/108450
[13] https://www.drupal.org/user/1850070
More information about the Security-news
mailing list