[IT-SecNots] [Security-news] CKEditor - WYSIWYG HTML editor - Moderately critical - Cross site scripting - SA-CONTRIB-2020-007

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2020-007

Project: CKEditor - WYSIWYG HTML editor [1]
Date: 2020-March-18
Security risk: *Moderately critical* 11∕25
AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2]
Vulnerability: Cross site scripting

Description: 
The CKEditor module (and its predecessor, FCKeditor module) allows Drupal to
replace textarea fields with CKEditor 3.x/4.x (FCKeditor 2.x in case of
FCKeditor module) - a visual HTML editor, sometimes called WYSIWYG editor.

Due to the usage of the JavaScript `eval()` function on non-filtered data in
admin section, it was possible for a user with permission to create content
visible in the admin area to inject specially crafted malicious script which
causes Cross Site Scripting (XSS).

The problem existed in CKEditor module for Drupal, not in JavaScript
libraries with the same names.

Solution: 
Install the latest version:

  * If you use the CKEditor module for Drupal 7.x, upgrade to CKEditor
    7.x-1.19 [3]

Also see the CKEditor- WYSIWYG HTML editor [4] project page

Reported By: 
  * Yonatan Offek  [5]

Fixed By: 
  * Robert Mikołajuk  [6]

Coordinated By: 
  * Greg Knaddison [7] of the Drupal Security Team


[1] https://www.drupal.org/project/ckeditor
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/ckeditor/releases/7.x-1.19
[4] https://www.drupal.org/project/ckeditor
[5] https://www.drupal.org/user/194009
[6] https://www.drupal.org/user/2793801
[7] https://www.drupal.org/user/36762

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news