Drupal CMS Updates CKEditor to Patch XSS Vulnerabilities

Drupal CMS

The Drupal Content Management System (CMS) developers reported on Wednesday that changes to versions 8.8.x and 8.7.x fix a variety of bugs concerning the CKEditor collection.

CKEditor is a popular WYSIWYG open-source editor that is highly configurable and has hundreds of apps. Drupal uses CKEditor and has agreed to upgrade it to version 4.14, which addresses two cross-site scripting (XSS) bugs impacting older versions of the software.

“Vulnerabilities are possible if Drupal is configured to use the WYSIWYG CKEditor for your site’s users. When multiple people can edit content, the vulnerability can be used to execute XSS attacks against other people, including site admins with more access,” Drupal said in an advisory.

Users are recommended updating Drupal to versions 8.8.4 or 8.7.12. Additionally, future attacks may be prevented by disabling the CKEditor module.

Drupal7 is not impacted, but website administrators use this edition will also ensure that CKEditor has been upgraded to version 4.14 or higher, said Drupal developers.

Although Drupal’s definition of vulnerabilities can indicate that they may present a significant danger, only a “moderately critical” ranking with a 13/25 danger score has been given.

CKEditor 4.14 release notes also show that manipulating the vulnerabilities requires “unlikely” or “highly unlikely” scenarios. Some of the drawbacks, for example, concerns the HTML data processor. To order to hack it, the intruder will have to persuade the intended user to insert malicious HTML code into the file, either in WYSIWYG mode or in source mode.

The second vulnerability involves a third-party application called WebSpellChecker Dialog. To order to manipulate it for XSS attacks, an intruder will need to persuade the user to move CKEditor to source mode, paste malicious code, turn back to WYSIWYG mode, and display material on a website where plugin files are accessible for the WebSpellChecker Dialog.

It is the first patch published by Drupal developers this year, and seven waves of protection patches were issued in 2019, covering January, February, March, April, May, July, and December. Although Drupal is not as aggressive as WordPress, some of the bugs found in recent years have been used to hijack websites at some stage.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.