Decentral Digital Blog

News, facts, techniques, opinion and more.

Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2018-003

Project: 
Date: 
2018-April-18
Vulnerability: 
Cross Site Scripting
Description: 

CKEditor, a third-party JavaScript library included in Drupal core, has fixed a cross-site scripting (XSS) vulnerability. The vulnerability stemmed from the fact that it was possible to execute XSS inside CKEditor when using the image2 plugin (which Drupal 8 core also uses).

We would like to thank the CKEditor team for patching the vulnerability and coordinating the fix and release process, and matching the Drupal core security window.

Solution: 
If you are using Drupal 8, update to Drupal 8.5.2 or Drupal 8.4.7. The Drupal 7.x CKEditor contributed module is not affected if you are running CKEditor module 7.x-1.18 and using CKEditor from the CDN, since it currently uses a version of the CKEditor library that is not vulnerable. If you installed CKEditor in Drupal 7 using another method (for example with the WYSIWYG module or the CKEditor module with CKEditor locally) and you’re using a version of CKEditor from 4.5.11 up to 4.9.1, update the third-party JavaScript library by downloading CKEditor 4.9.2 from CKEditor's site.
Reported By: 
Fixed By: 
Marek Lewandowski of the CKEditor team Wiktor Walc of the CKEditor team Wim Leers xjm Of the Drupal Security Team Lee Rowlands of the Drupal Security Team Daniel Wehner Hai-Nam Nguyen Matthew Grill
Original author: Drupal Security Team
Kevin Thull, from behind the camera
Dries Buytaert Shares His View on Decoupled Drupal...

What our clients are saying...

  • Exceptional

    Working with Decentral Digital has completely transformed my online brand. Now most of our leads come from our website...

  • Insightful

    Mike at Decentral Digital is knowledgeable, experienced and easy to work with. We are very pleased with our website.

  • Helpful

    Mike at Decentral Digital is professional, attentive and it always seemed like he cared about my business...

  • A Force

    My only regret was that I didn't find Decentral Digital sooner. The work and level of service has been fantastic...

Enough about us, let's talk about you!

DIGITAL
HAPPINESS