Moderately Critical XSS Vulnerability Discovered in CKEditor
CKEditor has released a security update SA- Core-2021-011 that impacts Drupal, along with the issue fix for that update. The issue dated November 17th, 2021 is classified as a moderately critical cross-site scripting (XSS) vulnerability. Drupal uses the CKEditor library for WYSIWYG editing.
If your Drupal site is configured to the use of CKEditor library for WYSIWYG editing, then you might be exposed to this vulnerability. An attacker can create or edit content even without access to CKEditor and may be able to exploit one or more XSS vulnerabilities to target users with access to WYSIWYG CKEditor. It can even target site admins with privileged access.
This advisory is not covered by Drupal Steward. Details about the CKEditor’s security advisories can be got from:
Upgrade or Install the latest version:
- If you are using Drupal 9.2, update to Drupal 9.2.9.
- If you are using Drupal 9.1, update to Drupal 9.1.14.
- If you are using Drupal 8.9, update to Drupal 8.9.20.
Drupal versions prior to 9.1.x are end-of-life and do not receive security coverage. Drupal 8 has reached EOL: This is the final security release provided for Drupal 8.
Drupal 7 core does not include the CKEditor module and therefore is not affected.