XSS vulnerability in CKEditor prompts need for Drupal update

Text editor flaw spawns CVE

UPDATED A vulnerability in a third-party library component has had a knock-on effect on software packages that rely on it, including the Drupal content management system.

The issue involves a cross-site scripting (XSS) bug in CKEditor, a rich text editor that comes bundled with various online applications.

An attacker might be able to exploit the XSS vulnerability to target users with access to CKEditor. This potentially includes site admins with privileged access.

Exploitation is far from straightforward and would involve tricking potential victims into copying maliciously crafted HTML code before pasting it into CKEditor in ‘WYSIWYG’ mode.

“Although this is an unlikely scenario, we recommend upgrading to the latest editor version,” developers of CKEditor explain in an advisory, issued earlier this month.

CKEditor 4.14 fixes this XSS vulnerability in the HTML data processor, discovered by Michał Bentkowski of Securitum, as well as offering featuring improvements and resolution for an unrelated XSS vulnerability in the third-party WebSpellChecker Dialog plugin.

An advisory from Drupal, issued on Wednesday, instructs users to update to a version of the CMS that feature the updated version of CKEditor in order to mitigate the vulnerability.

In practice, this means upgrading to either Drupal 8.8.4 or Drupal 8.7.12.

The security flaw is described as “moderately critical” by Drupal, even though attackers would need to be able to create or edit content in order to attempt exploitation.

Bentkowski told The Daily Swig that a lot of services use CKEditor, "from my experience I’d say that it’s the most popular web WYSIWYG editor along with TinyMCE".

The security researcher went on to explain how he discovered the flaw.

"I’ve come across this bug when analyzing how various WYSIWYG editors handle pasting HTML content," Bentkowski explained. "I'd say that its severity is moderate: the user needs to copy something from a malicious website and then paste it in CKEditor. The effects of the bug are as usual for XSS: the ability to take over user session."

This article has been updated to include comment from Michał Bentkowski.