2 min read

Drupal Core Security Advisory: CKEditor 5 Vulnerability in Versions 10.0 to 10.2.9

Drupal Core Security Advisory: CKEditor 5 Vulnerability in Versions 10.0 to 10.2.9

Drupal core has issued a security advisory (SA-CORE-2024-002) regarding a moderately critical vulnerability affecting versions 10.0 to 10.2.9. The issue stems from improper error handling in the CKEditor 5 module, which, under certain uncommon site configurations, could result in image uploads moving the entire webroot to a different location on the file system. This vulnerability, while theoretical, could be exploited by malicious users to bring down a site.

The risk is mitigated by the fact that several non-default configurations must exist simultaneously for the vulnerability to be triggered. Drupal 10.3 and above, as well as Drupal 7, are unaffected by this issue.

Users running affected versions are advised to update to Drupal 10.2.10. Earlier versions of Drupal 10, as well as Drupal 8 and 9, have reached end-of-life and no longer receive security coverage. This issue was reported by Pierre Rudloff and addressed by members of the Drupal Security Team.

Source Reference

Title
Security advisories Drupal core - Moderately critical - Improper error handling - SA-CORE-2024-002
Byline
Not provided
Date of Publication

Image Attribution Disclaimer: At The Drop Times (TDT), we are committed to properly crediting photographers whose images appear in our content. Many of the images we use come from event organizers, interviewees, or publicly shared galleries under CC BY-SA licenses. However, some images may come from personal collections where metadata is lost, making proper attribution challenging.

Our purpose in using these images is to highlight Drupal, its events, and its contributors—not for commercial gain. If you recognize an image on our platform that is uncredited or incorrectly attributed, we encourage you to reach out to us at #thedroptimes channel on Drupal Slack.

We value the work of visual storytellers and appreciate your help in ensuring fair attribution. Thank you for supporting open-source collaboration!

LinkedIn Comment

You May Like
Interview
Drupal: Power, Flexibility, Freedom, and Now Smarter with AI

Drupal: Power, Flexibility, Freedom, and Now Smarter with AI
Interview
Drupal: Power, Flexibility, Freedom, and Now Smarter with AI

Drupal: Power, Flexibility, Freedom, and Now Smarter with AI

ASK: Drupal Community Needs Your Support

View all →
Drupal
Security
Drupal Core
CKEditor
Vulnerability

Note: The vision of this web portal is to help promote news and stories around the Drupal community and promote and celebrate the people and organizations in the community. We strive to create and distribute our content based on these content policy. If you see any omission/variation on this please reach out to us at #thedroptimes channel on Drupal Slack and we will try to address the issue as best we can.

Advertisement Here

Related People

You may also like

Advertisement Here
You May Like
Blog
Growing Together in the Drupal Land: The 'Learn Drupal' Initiative

Growing Together in the Drupal Land: The 'Learn Drupal' Initiative
Build site with Drupal

Featured

Related

Latest News

Upcoming Events

View All Events

Latest Opportunities

Advertisement Here