The CKEditor 4 LTS - WYSIWYG HTML editor module uses the CKEditor library for WYSIWYG editing. CKEditor has released a security update that on certain configurations may impact the Drupal module that bundles and integrates this code.
The vulnerability is mitigated by the fact it requires:
- full-page editing mode is enabled
- or CDATA elements in Advanced Content Filtering configuration (defaults to script and style elements) are enabled.
- An attacker must have a permission with access to the CKEditor instance.
For more information, see CKEditor's security advisory:
CVE-2024-24815: Cross-site scripting (XSS) vulnerability caused by incorrect CDATA detection
Install the latest version:
- If you use the CKEditor 4 LTS - WYSIWYG HTML editor module for Drupal 9.4+, upgrade to ckeditor_lts 1.0.1
- Juraj Nemec of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
- catch of the Drupal Security Team
- cilefen of the Drupal Security Team