Drupal has released a critical security update to address third-party library CKEditor XSS vulnerabilities in Drupal 8.7.x and 8.8.x.
Drupal released the “Moderately Critical” security update (SA-CORE-2020-001) for a Drupal core third party library CKEditor. The update impacts some Drupal core configurations.
Drupal upgraded to CKEditor version 4.14, a highly configurable WYSIWYG HTML editor. The latest CKEditor update patches two cross-site scripting (XSS) vulnerabilities as noted in a previous blog post.
“Vulnerabilities are possible if Drupal is configured to use the WYSIWYG CKEditor for your site’s users. An attacker that can create or edit content may be able to exploit this Cross Site Scripting (XSS) vulnerability to target users with access to the WYSIWYG CKEditor, and this may include site admins with privileged access,” Drupal warned in the advisory.
Drupal recommends you upgrade to Drupal 8.8.4 (if running Drupal 8.8.x) and upgrade to Drupal 8.7.12 (if running Drupal 8.7.x). Alternatively, administrators could disable the WYSIWYG modules to mitigate the vulnerability until the site is updated.
Finally, you can check out NIST advisories for the CKEditor XSS vulnerabilities CVE-2020-9281 and CVE-2020-9440.