In Drupal closed XSS Vulnerability
Last Wednesday, the Drupal team released updates with a patch for the XSS vulnerability in the CKEditor module of the CMS core.
This gap, estimated as moderately dangerous, is relevant only for Drupal 8; users are advised to install Assembly 8.5.2 or 8.4.7.
According to the developer’s blog entry for the CKEditor JavaScript library, the chance of an XSS attack appears when you use the image2 plugin, an enhanced version of the image plug-in in this editor. This plug-in is not part of CKEditor’s standard configuration, so only custom versions of the editor with image2 extension are at risk.
XSS usually works when the user, after making a transition to the phishing link, opens a page in the browser with embedded malicious code. Such attacks threaten to seize control over the victim’s system.
Discovered by an independent researcher, XSS is present in the CKEditor assembly from 4.5.11 to 4.9.1. Eliminates the vulnerability of the new release of CKEditor 4.9.2.
Corrections have been made to the core of Drupal 8. The bulletin on the project site noted that this vulnerability does not affect Drupal 7 if the module CKEditor 7.x-1.18, which is attached to the CDN-network, is used. In the event that the editor was installed in Drupal 7 in another way – along with the WYSIWYG module or locally – it should be updated by visiting the download page of the CKEditor.