Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Project:
Date:
2021-August-25
Vulnerability:
Cross Site Scripting
Affected versions:
<5.28.0 || >=6.0.0 <6.0.5
Description:
The Webform module uses the CKEditor, library for WYSIWYG editing. CKEditor has released a security update that impacts Webform.
An attacker that can create or edit content (even without access to CKEditor themselves) may be able to exploit one or more Cross-Site Scripting (XSS) vulnerabilities to target users with access to the WYSIWYG CKEditor, including site admins with privileged access.
For more information, see CKEditor's announcement of the release.
Solution:
Install the latest version:
- If you use the Webform module module for Drupal 8/9 upgrade to Webform 8.x-5.28 or Webform 6.0.5
If you are using a previous release of the Webform module you can immediately do one of several options.
- Update Drupal
- If you are using Composer, run
drush webform:libraries:composer > DRUPAL_ROOT/composer.libraries.jsonand runcomposer update - If you are using Drush, run
drush webform:libraries:update
Reported By:
- Lee Rowlands of the Drupal Security Team
Fixed By:
Coordinated By:
- Greg Knaddison of the Drupal Security Team
- xjm of the Drupal Security Team
