====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN143
_____________________________________________________________________

DATE                : 19/03/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Drupal core versions prior to
                                     8.8.4, 8.7.12.

=====================================================================
https://www.drupal.org/sa-core-2020-001
_____________________________________________________________________

Drupal core - Moderately critical - Third-party library - SA-CORE-2020-001

Project: Drupal core
Version: 8.8.x-dev
         8.7.x-dev
Date: 2020-March-18
Security risk:
Moderately critical 13∕25
AC:Complex/A:User/CI:Some/II:Some/E:Proof/TD:Default
Vulnerability: Third-party library


Description:

The Drupal project uses the third-party library CKEditor, which has
released a security improvement that is needed to protect some Drupal
configurations.

Vulnerabilities are possible if Drupal is configured to use the WYSIWYG
CKEditor for your site's users. An attacker that can create or edit
content may be able to exploit this Cross Site Scripting (XSS)
vulnerability to target users with access to the WYSIWYG CKEditor, and
this may include site admins with privileged access.

The latest versions of Drupal update CKEditor to 4.14 to mitigate the
vulnerabilities.


Solution:

Install the latest version:

    If you are using Drupal 8.8.x, upgrade to Drupal 8.8.4.
    If you are using Drupal 8.7.x, upgrade to Drupal 8.7.12.

Versions of Drupal 8 prior to 8.7.x have reached end-of-life and do not
receive security coverage.

The CKEditor module can also be disabled to mitigate the vulnerability
until the site is updated.


Note for Drupal 7 users

Drupal 7 core is not affected by this release; however, users who have
installed the third-party CKEditor library (for example, with a
contributed module) should ensure that the downloaded library is updated
to CKEditor 4.14 or higher, or that CDN URLs point to a version of
CKEditor 4.14 or higher. Disabling all WYSIWYG modules can mitigate the
vulnerability until the site is updated.


=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================