Drupal has rolled out updates since cross-site scripting vulnerabilities were discovered within CKEditor. The developers behind CKEditor have also patched the XSS bugs with a hotfix release. All CKEditor users should now update their sites accordingly to remain safe.
Multiple CKEditor XSS Bugs Fixed
Reportedly, CKEditor – an open-source WYSIWYG rich-text editor – addressed two XSS bugs with the latest release 4.17.0. Both vulnerabilities affected all earlier CKEditor 4 versions.
One of these vulnerabilities (CVE-2021-41165), reported by William Bowling, existed in the core HTML processing module. As described in CKEditor’s advisory, exploiting this bug could allow executing malicious codes.
The vulnerability allowed to inject malformed comments HTML bypassing content sanitization, which could result in executing JavaScript code.
The other vulnerability (CVE-2021-41164), reported by Maurice Daue, affected the Advanced Content Filter (ACF) module. Describing its impact, the advisory reads,
The vulnerability allowed to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code.
While the team promptly fixed the flaws, it has to make one more change as the updates caused problems. Consequently, they released a hotfix with CKEditor 4.17.1.
Drupal Also Released Updates
These CKEditor bugs and the subsequent updates also affected Drupal that uses the CKEditor library for WYSIWYG editing. Therefore, Drupal also released security updates for the users.
Regarding the impact of the bugs, Drupal’s advisory states,
Vulnerabilities are possible if Drupal is configured to allow use of the CKEditor library for WYSIWYG editing. An attacker that can create or edit content (even without access to CKEditor themselves) may be able to exploit one or more Cross-Site Scripting (XSS) vulnerabilities to target users with access to the WYSIWYG CKEditor, including site admins with privileged access.
Consequently, the developers rolled out Drupal versions 9.2.9, 9.1.14, and 8.9.20 with the patches for the users of Drupal 9.1, 9.1, and 8.9, respectively.
The team confirmed that these issues do not affect Drupal 7 core since it doesn’t include CKEditor.
However, all other Drupal users (including those using end-of-life versions) should update to the latest releases to remain safe.
The US CISA has also issued an alert in this regard urging Drupal updates.
Let us know your thoughts in the comments.