Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2021-003

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2021-003


Chronologisch Thread 
    < Chronologisch >      < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2021-003
  • Date: Thu, 27 May 2021 02:51:17 +0000 (UTC)
  • Authentication-results: mail02.piratenpartei.de; dkim=none; spf=pass (mail02.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 140.211.166.138 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org; dmarc=pass (policy=none) header.from=drupal.org
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-core-2021-003

Project: Drupal core [1]
Date: 2021-May-26
Security risk: *Moderately critical* 14∕25
AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:Default [2]
Vulnerability: Cross Site Scripting

Description: 
Drupal core uses the third-party CKEditor library. This library has an error
in parsing HTML that could lead to an XSS attack. CKEditor 4.16.1 and later
include the fix.

Users of the CKEditor library via means other than Drupal core should update
their 3rd party code (e.g. the WYSIWYG module for Drupal 7). The Drupal
Security Team policy is not to alert for issues affecting 3rd party libraries
unless those are shipped with Drupal core. See DRUPAL-SA-PSA-2016-004 for
more details [3].

This issue is mitigated by the fact that it only affects sites with CKEditor
enabled.

Solution: 
Install the latest version:

* If you are using Drupal 9.1, update to Drupal 9.1.9 [4].
* If you are using Drupal 9.0, update to Drupal 9.0.14 [5].
* If you are using Drupal 8.9, update to Drupal 8.9.16 [6].

Versions of Drupal 8 prior to 8.9.x are end-of-life and do not receive
security coverage.

Reported By: 
* Or Sahar [7]

Fixed By: 
* Greg Knaddison [8] of the Drupal Security Team
* Jess [9] of the Drupal Security Team
* Krzysztof Krzton [10]
* Lee Rowlands [11] of the Drupal Security Team
* Michael Hess [12] of the Drupal Security Team


[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/psa-2016-004
[4] https://www.drupal.org/project/drupal/releases/9.1.9
[5] https://www.drupal.org/project/drupal/releases/9.0.14
[6] https://www.drupal.org/project/drupal/releases/8.9.16
[7] https://www.drupal.org/user/3676145
[8] https://www.drupal.org/user/36762
[9] https://www.drupal.org/user/65776
[10] https://www.drupal.org/user/3618903
[11] https://www.drupal.org/user/395439
[12] https://www.drupal.org/user/102818

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

  • [IT-SecNots] [Security-news] Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2021-003, security-news, 27.05.2021

Archiv bereitgestellt durch MHonArc 2.6.24.

Seitenanfang