Drupal released the security update to fix Cross Site Scripting in Drupal core

Drupal security update

On April 18, 2018, Drupal has released security updates to address a Cross Site Scripting vulnerability affecting CKEditor, a third-party JavaScript library included in Drupal core. A remote attacker could exploit some of these vulnerabilities to gain access to sensitive information of an affected website.

Drupal security update

The vulnerability stemmed from the fact that it was possible to execute XSS inside CKEditor when using the image2 plugin (which Drupal 8 core also uses).

Solution

  • If you are using Drupal 8, update to Drupal 8.5.2 or Drupal 8.4.7.
  • The Drupal 7.x CKEditor contributed module is not affected if you are running CKEditor module 7.x-1.18 and using CKEditor from the CDN, since it currently uses a version of the CKEditor library that is not vulnerable.
  • If you installed CKEditor in Drupal 7 using another method (for example with the WYSIWYG module or the CKEditor module with CKEditor locally) and you’re using a version of CKEditor from 4.5.11 up to 4.9.1, update the third-party JavaScript library by downloading CKEditor 4.9.2 from CKEditor’s site.