CKEditor has released a security update SA- Core-2021-011 that impacts Drupal, along with the issue fix for that update. The issue dated November 17^th, 2021 is classified as a moderately critical cross-site scripting (XSS) vulnerability. Drupal uses the CKEditor library for WYSIWYG editing.

If your Drupal site is configured to the use of CKEditor library for WYSIWYG editing, then you might be exposed to this vulnerability. An attacker can create or edit content even without access to CKEditor and may be able to exploit one or more XSS vulnerabilities to target users with access to WYSIWYG CKEditor. It can even target site admins with privileged access.

You May Like

Article

Drupal's Innovation & Future: 2024 and Beyond—Part 2 | Industry Experts' Perspective

Article

Drupal's Innovation & Future: 2024 and Beyond—Part 2 | Industry Experts' Perspective

This advisory is not covered by Drupal Steward. Details about the CKEditor’s  security advisories can be got from:

• HTML comments vulnerability allowing to execute JavaScript code
• Advanced Content Filter (ACF) vulnerability allowing to execute JavaScript code using malformed HTML

Issue Fix

Upgrade or Install the latest version:

• If you are using Drupal 9.2, update to Drupal 9.2.9.
• If you are using Drupal 9.1, update to Drupal 9.1.14.
• If you are using Drupal 8.9, update to Drupal 8.9.20.

 Drupal versions prior to 9.1.x are end-of-life and do not receive security coverage. Drupal 8 has reached EOL: This is the final security release provided for Drupal 8.

Drupal 7 core does not include the CKEditor module and therefore is not affected.

Source: Drupal.org