Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Project:
Date:
2024-February-14
Vulnerability:
Cross Site Scripting
Affected versions:
>=1.0.0 <1.0.1
Description:
The CKEditor 4 LTS - WYSIWYG HTML editor module uses the CKEditor library for WYSIWYG editing. CKEditor has released a security update that on certain configurations may impact the Drupal module that bundles and integrates this code.
The vulnerability is mitigated by the fact it requires:
- full-page editing mode is enabled
- or CDATA elements in Advanced Content Filtering configuration (defaults to script and style elements) are enabled.
- An attacker must have a permission with access to the CKEditor instance.
For more information, see CKEditor's security advisory:
CVE-2024-24815: Cross-site scripting (XSS) vulnerability caused by incorrect CDATA detection
Solution:
Install the latest version:
- If you use the CKEditor 4 LTS - WYSIWYG HTML editor module for Drupal 9.4+, upgrade to ckeditor_lts 1.0.1
Reported By:
- Juraj Nemec of the Drupal Security Team
Fixed By:
Coordinated By:
- Greg Knaddison of the Drupal Security Team
- catch of the Drupal Security Team
- cilefen of the Drupal Security Team
