Attackers could bypass content sanitization with malformed HTML

CKEditor vulnerabilities pose XSS threat to Drupal and other downstream applications

UPDATED Drupal, the widely used web content management system (CMS), has released security updates due to vulnerabilities in CKEditor, a third-party rich text editor bundled with Drupal.

A pair of cross-site scripting (XSS) bugs, which are deemed ‘moderately critical’ by Drupal, could have a far-reaching impact since CKEditor is incorporated into numerous online applications.

Downloaded more than 30 million times, the open source WYSIWYG editor is used by Microsoft, Siemens, Volvo, Disney, Deloitte, and countless other organizations.

Drupal itself, which powers more than one million websites, has a huge install base.

“Both vulnerabilities were discovered in the core package of the CKEditor 4 and are affecting all earlier versions of the editor,” CKEditor 4 project leader Jacek Bogdański tells The Daily Swig.

Malformed HTML

The XSS vulnerabilities could enable attackers to “inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code”, says CKSource in the relevant advisories.

They were found in the core HTML processing module by developer William Bowling and in the advanced content filter module by security researcher Maurice Dauer.

Read more of the latest security vulnerability news

Drupal says its users are vulnerable to the flaws if the CMS is configured to allow use of the CKEditor library for WYSIWYG editing.

“An attacker that can create or edit content (even without access to CKEditor themselves) may be able to exploit one or more [of the bugs] to target users with access to the WYSIWYG CKEditor, including site admins with privileged access,” reads a security advisory published by Drupal on November 17.

The threat level is such that the US Cybersecurity and Infrastructure Security Agency (CISA) saw fit to issue a warning about the importance of applying updates.

However, although the number of potentially vulnerable systems is significant, the attack “requires tricking a potential victim to copy and paste malicious HTML from the external source to the editor”, says Bogdański.

He also emphasizes that the vulnerability is only present when affected versions are used by the user, and is unrelated to content produced by CKEditor.

“Nevertheless, we recommend upgrading the editor as soon as possible,” he adds.

CKEditor, Drupal updates

CKSource addressed the flaws with the release of version 4.17.0, as well as a hotfix, on November 17. All prior versions are vulnerable.

Mindful of their responsibility given CKEditor’s use “by millions of users worldwide”, Bogdański says CKSource has “designed a completely new architecture in CKEditor 5 to reduce the chances of having XSS issues”, but in the meantime will strive “to keep CKEditor 4 secure at least until 2023”.

Users of Drupal 9.2 are advised to update to Drupal 9.2.9, users of Drupal 9.1 should update to Drupal 9.1.14, and users of Drupal 8.9 should update to Drupal 8.9.20.

The update represents the final security release for Drupal 8, which joins versions older than 9.1.x in having reached its end of life.

Users should upgrade to Drupal 8 “and, as quickly as possible, upgrade to Drupal 9”, Greg Knaddison, volunteer member of the Drupal security team and senior director of information systems at the Morris Animal Foundation, tells The Daily Swig. “It’s a very straightforward process due to the way we managed deprecation and backwards compatibility in this release cycle.”

Although Drupal 7 does not include the CKEditor module, continues Knaddison, it “can be affected if the site uses the CKEditor via a contributed module. The Security Team does not do advisories for modules where the site admin has to download library code (like CKEditor) as part of the installation,” he adds, citing a recent policy.

Both Knaddison and Bogdański thanked the researchers who uncovered the vulnerabilities. Knaddison also commended Bogdański for keeping the Drupal team “updated throughout the process with respect to timing and the hotfix so we could be well prepared”.

Bogdański praised the numerous security researchers who have disclosed vulnerabilities over the years, all of whom did so responsibly. “That’s the beauty of open source,” he says. “By letting everyone access your source code, one increases the chances of finding your weaknesses, but at the same time it makes your software better each time.”

This article was updated on November 19 with comments from Greg Knaddison of the Drupal security team, and on November 24 with comments from CKSource

RELATED Server-side vulnerabilities in Concrete CMS put thousands of websites under threat