Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Project:
Date:
2022-January-05
Vulnerability:
Cross site scripting
Description:
This module enables you to integrate various What-You-See-Is-What-You-Get (WYSIWYG) rich text editors into Drupal fields with text formats allowing markup for easier editing.
The module doesn't sufficiently sanitize user input before attaching a WYSIWYG editor to an input field such as a textarea. If the editor used has an XSS vulnerability this would allow for example a commenter to put specially crafted markup which could trigger the vulnerability when viewed in the editor by an administrator.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create content using a text format with an attached and XSS vulnerable rich text editor.
Solution:
Install the latest version:
- If you use the Wysiwyg module for Drupal 7.x, upgrade to WYSIWYG 7.x-2.9
After upgrading verify that text formats which have a WYSIWYG editor profile also uses a text filter, such as Core's "Limit allowed HTML tags", if accessible by untrusted users.
A list of known compatible input filters that will be applied is shown when configuring a WYSIWYG editor profile along with a status indicator.
It is recommended to always be using the latest stable version of any installed editor libraries.
Reported By:
Fixed By:
- Daniel Kudwien
- Henrik Danielsson
- r0ng
- Wim Leers
- Mori Sugimoto of the Drupal Security Team
- Damien McKenna of the Drupal Security Team
Coordinated By:
- Greg Knaddison of the Drupal Security Team
- Damien McKenna of the Drupal Security Team
- Chris of the Drupal Security Team
