• Advisory ID: PSA-2011-002
  • Date: 2011-June-15
  • Project: External libraries and plugins


Just like there's a need to dilligently follow announcements and update contributed modules downloaded from Drupal.org, there's also a need to follow announcements by vendors of third-party libraries or plugins that are required by such modules.

Drupal's update module has no functionality to alert you to these announcements. The Drupal security team will not release announcements about security issues in external libraries and plugins.

The specific issue precipitating this public service announcement is a cross site scripting vulnerability in (F)CKEditor, a common JavaScript-based WYSIWYG editor used as a library in the modules CKeditor, FCKEditor and WYSIWYG.

Exploit examples are circulating.

Versions affected

  • CKEditor versions prior to version 3.5.4
  • FCKEditor versions prior to version


Follow release announcements by the vendors of the external libraries and plugins you use.

In this specific case, remove the _samples directory from the (f)ckeditor installation or upgrade to a non-vulnerable version. Make sure to test compatibility between Drupal modules and new library versions before deploying.

Reported by

The Drupal security was alerted to this issue by Henry Sudhof.


The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.