Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Project:
Date:
2018-April-18
Vulnerability:
Cross Site Scripting
Affected versions:
>= 8.0.0 <8.4.7 || >=8.5.0 <8.5.2
CVE IDs:
CVE-2018-9861
Description:
CKEditor, a third-party JavaScript library included in Drupal core, has fixed a cross-site scripting (XSS) vulnerability. The vulnerability stemmed from the fact that it was possible to execute XSS inside CKEditor when using the image2 plugin (which Drupal 8 core also uses).
We would like to thank the CKEditor team for patching the vulnerability and coordinating the fix and release process, and matching the Drupal core security window.
Solution:
- If you are using Drupal 8, update to Drupal 8.5.2 or Drupal 8.4.7.
- The Drupal 7.x CKEditor contributed module is not affected if you are running CKEditor module 7.x-1.18 and using CKEditor from the CDN, since it currently uses a version of the CKEditor library that is not vulnerable.
- If you installed CKEditor in Drupal 7 using another method (for example with the WYSIWYG module or the CKEditor module with CKEditor locally) and you’re using a version of CKEditor from 4.5.11 up to 4.9.1, update the third-party JavaScript library by downloading CKEditor 4.9.2 from CKEditor's site.
Reported By:
Fixed By:
- Marek Lewandowski of the CKEditor team
- Wiktor Walc of the CKEditor team
- Wim Leers
- xjm of the Drupal Security Team
- Lee Rowlands of the Drupal Security Team
- Daniel Wehner
- Hai-Nam Nguyen
- Matthew Grill
