Drupal has patched two Moderately Critical HTML processing and denial of service vulnerabilities that affect multiple versions of Drupal Core.
A remote attacker could exploit these vulnerabilities to compromise an affected system.
The Drupal security update SA-CORE-2022-005 addressed two Drupal Core third party library vulnerabilities:
- CVE-2022-24728: HTML processing vulnerability allowing to execute JavaScript code
- CVE-2022-24729: Regular expression Denial of Service in dialog plugin.
“Vulnerabilities are possible if Drupal is configured to allow use of the CKEditor library for WYSIWYG editing. An attacker that can create or edit content (even without access to CKEditor themselves) may be able to exploit one or more Cross-Site Scripting (XSS) vulnerabilities to target users with access to the WYSIWYG CKEditor, including site admins with privileged access,” Drupal noted in the security advisory.
Each of the issues are fixed in Drupal 9.3.8 (using Drupal 9.3), Drupal 9.2.15 (using Drupal 9.2).
All versions of Drupal 9 prior to 9.2.x are end-of-life and can not received security updates.