Drupal, the widely used web content management system (CMS), has released security updates due to vulnerabilities in CKEditor, a third-party rich text editor bundled with Drupal.
A pair of cross-site scripting (XSS) bugs, which are deemed ‘moderately critical’ by Drupal, could have a far-reaching impact since CKEditor is incorporated into numerous online applications.
Downloaded more than 30 million times, the open source WYSIWYG editor is used by Microsoft, Siemens, Volvo, Disney, Deloitte, and countless other organizations.
Drupal itself, which powers more than one million websites, has a huge install base.
The two flaws “may affect all plugins used by CKEditor 4”, said CKSource, the developer behind CKEditor.
Malformed HTML
The XSS vulnerabilities could enable attackers to “inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code”, says CKSource,
They were found in the core HTML processing module by developer William Bowling and in the advanced content filter module by security researcher Maurice Dauer.
Drupal says its users are vulnerable to the flaws if the CMS is configured to allow use of the CKEditor library for WYSIWYG editing.
“An attacker that can create or edit content (even without access to CKEditor themselves) may be able to exploit one or more [of the bugs] to target users with access to the WYSIWYG CKEditor, including site admins with privileged access,” reads a security advisory published by Drupal on November 17.
The threat level is such that the US Cybersecurity and Infrastructure Security Agency (CISA) saw fit to issue a warning about the importance of applying updates.
Software updates
CKSource addressed the flaws with the release of version 4.17.0, as well as a hotfix, on November 17. All prior versions are vulnerable.
Users of Drupal 9.2 are advised to update to Drupal 9.2.9, users of Drupal 9.1 should update to Drupal 9.1.14, and users of Drupal 8.9 should update to Drupal 8.9.20.
Drupal 7, which does not include the CKEditor module, is not affected.
The update represents the final security release for Drupal 8, which joins versions older than 9.1.x in having reached its end of life.
The vulnerabilities echo another XSS found in CKEditor by Michał Bentkowski of Securitum in March 2020, as covered by The Daily Swig.
The Daily Swig has put additional questions to CKSource, Drupal, and the security researchers involved. We will update this article should we hear back.
Source: https://portswigger.net/daily-swig/ckeditor-vulnerabilities-pose-xss-threat-to-drupal-and-other-downstream-applications
