Drupal Releases Updates Against CKEditor Vulnerabilities

Staff Reporter

Drupal, an open-source web Content Management System (CMS), has recently released security updates due to the vulnerabilities in a third-party text editor bundled with it called CKEditor. A pair of cross-site scripting (XSS) bugs which has been declared as moderately critical by Drupal could have seriously impacted the organizations using CKEditor. This vulnerability could have enabled attackers to bypass content sanitization and inject malformed HTML which could result in executing Javascript Code.

This open-source text editor has been downloaded more than 30 million times and it has been incorporated by many organizations like Microsoft, Siemens, Disney and Deloitte. If any of these organizations or any of the one million websites powered by Drupal would have enabled the use of CKEditor library for WYSIWYG editing they would have been vulnerable to this bug.

The XSS vulnerability was found by developer William Bowling in the core HTML processing module and by security researcher Maurice Dauer in the advanced content filter module. The threat level was such that even the US Cybersecurity and Infrastructure Agency (CISA) issued a warning¹ regarding the importance of applying the updates.

According to a security advisory² published by Drupal, any attacker that can create or edit content may be able to exploit one or more XSS bugs to target users with access to CKEditor, including site admins with privileged access. This vulnerability echoes another XSS found in CKSource by Michal Bentkowski of Securitum in March 2020.

CKSource rectified the flaws and on 17th November 2021 released version 4.17.0 and hotfix. Drupal also updated it’s version and has advised the users to update Drupal 9.2, 9.1 and 8.9 to Drupal 9.2.9, 9.1.14 and 8.9.20. The Drupal team has also requested users to update to Drupal 9 as soon as they can to avoid making them vulnerable to any possible threats.

Source:

1. US CISA issues warning regarding the importance of applying the updates

2. Drupal Security Advisory

CKEditor vulnerability a threat to Drupal and other downstream applications

Click here to follow us on LinkedIn

Comment

Note: The vision of this web portal is to help promote news and stories around the Drupal community and promote and celebrate the people and organizations in the community. We strive to create and distribute our content based on these content policy. If you see any omission/variation on this please let us know in the comments below and we will try to address the issue as best we can.

Drupal