==================================================================== CERT-Renater Note d'Information No. 2020/VULN142 _____________________________________________________________________ DATE : 19/03/2020 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running CKEditor for Drupal versions prior to 7.x-1.19. ===================================================================== https://www.drupal.org/sa-contrib-2020-007 _____________________________________________________________________ CKEditor - WYSIWYG HTML editor - Moderately critical - Cross site scripting - SA-CONTRIB-2020-007 Project: CKEditor - WYSIWYG HTML editor Date: 2020-March-18 Security risk: Moderately critical 11∕25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon Vulnerability: Cross site scripting Description: The CKEditor module (and its predecessor, FCKeditor module) allows Drupal to replace textarea fields with CKEditor 3.x/4.x (FCKeditor 2.x in case of FCKeditor module) - a visual HTML editor, sometimes called WYSIWYG editor. Due to the usage of the JavaScript `eval()` function on non-filtered data in admin section, it was possible for a user with permission to create content visible in the admin area to inject specially crafted malicious script which causes Cross Site Scripting (XSS). The problem existed in CKEditor module for Drupal, not in JavaScript libraries with the same names. Solution: Install the latest version: If you use the CKEditor module for Drupal 7.x, upgrade to CKEditor 7.x-1.19 Also see the CKEditor- WYSIWYG HTML editor project page Reported By: Yonatan Offek Fixed By: Robert Mikołajuk Coordinated By: Greg Knaddison of the Drupal Security Team ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================