Moderately Critical XSS Vulnerability in WYSIWYG Drupal 7

unsplash.com

The Drupal security team announced a moderately critical cross site scripting (XSS) vulnerability SA-CONTRIB-2022-003 in WYSIWYG Drupal 7 on 2022, January 5th. This module in Drupal 7 enables you to integrate various What-You-See-Is-What-You-Get (WYSIWYG) rich text editors into Drupal fields with text formats allowing markup for easier editing.

The module doesn't sufficiently sanitize user input before attaching a WYSIWYG editor to an input field such as a textarea. If the editor used has an XSS vulnerability this would allow for example a commenter to put specially crafted markup which could trigger the vulnerability when viewed in the editor by an administrator.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create content using a text format with an attached and XSS vulnerable rich text editor.

Solution

  • If you use the Wysiwyg module for Drupal 7.x, upgrade to WYSIWYG 7.x-2.9.
  • After upgrading verify that text formats that have a WYSIWYG editor profile also use a text filter, such as Core's "Limit allowed HTML tags", if accessible by untrusted users.
  • A list of known compatible input filters that will be applied is shown when configuring a WYSIWYG editor profile along with a status indicator.

It is recommended to always be using the latest stable version of any installed editor libraries.

Source: https://www.drupal.org/sa-contrib-2022-003

Note: The vision of this web portal is to help promote news and stories around the Drupal community and promote and celebrate the people and organizations in the community. We strive to create and distribute our content based on these content policy. If you see any omission/variation on this please let us know in the comments below and we will try to address the issue as best we can.

Advertisement Here

Call for Support