In Drupal closed XSS Vulnerability
Last Wednesday, the Drupal team released updates with a patch for the XSS vulnerability in the CKEditor module of the CMS core.
This gap, estimated as moderately dangerous, is relevant only for Drupal 8; users are advised to install Assembly 8.5.2 or 8.4.7.
XSS usually works when the user, after making a transition to the phishing link, opens a page in the browser with embedded malicious code. Such attacks threaten to seize control over the victim’s system.
Discovered by an independent researcher, XSS is present in the CKEditor assembly from 4.5.11 to 4.9.1. Eliminates the vulnerability of the new release of CKEditor 4.9.2.
Corrections have been made to the core of Drupal 8. The bulletin on the project site noted that this vulnerability does not affect Drupal 7 if the module CKEditor 7.x-1.18, which is attached to the CDN-network, is used. In the event that the editor was installed in Drupal 7 in another way – along with the WYSIWYG module or locally – it should be updated by visiting the download page of the CKEditor.