Drupal has patched Moderately Critical third-party library CKEditor vulnerabilities that affect multiple versions of Drupal Core.
A remote attacker could exploit these vulnerabilities to compromise an affected system.
The Drupal update SA-CORE-2021-005 patched a Moderately Critical vulnerabilities in CKEditor, a third party library for WYSIWYG editing:
“Vulnerabilities are possible if Drupal is configured to allow use of the CKEditor library for WYSIWYG editing. An attacker that can create or edit content (even without access to CKEditor themselves) may be able to exploit one or more Cross-Site Scripting (XSS) vulnerabilities to target users with access to the WYSIWYG CKEditor, including site admins with privileged access.”
The issue affects Drupal 8.9, 9.1 and 9.2. The company added that Drupal 8 versions prior to 8.9.x and Drupal 9 versions prior to 9.1.x are end-of-life and do not receive security coverage.
Moreover, CKEditor released more details as part of CKEditor security update 4.16.2 that addressed several vulnerabilities:
- CVE-2021-32809: Clipboard plugin vulnerability.
- CVE-2021-32808: Widget HTML vulnerability.
- CVE-2021-37695: Fake Objects plugin vulnerability.
The updates also included several improvements to address browser compatibility issues.
Although CKEditor wrote each of these are low impact issues, the firm still recommends “an upgrade is highly recommended.”
- Drupal patches Critical third-party library vulnerability (CVE-2021-32610)
- Drupal fixes ‘Moderately Critical’ XSS bug in CKEditor library
- Drupal patches Critical third-party library vulnerability (CVE-2020-36193)
- Drupal patches 2 Critical arbitrary PHP code execution vulnerabilities
- Drupal patches Critical RCE vulnerability (CVE-2020-13671)
- Drupal fixes Critical XSS bug and 4 other vulnerabilities.