CKEditor vulnerabilities pose XSS threat to Drupal and other downstream applications

guest · Nov 19, 2021

CKEditor vulnerabilities pose XSS threat to Drupal and other downstream applications
Attackers could bypass content sanitization with malformed HTML
November 19, 2021
https://portswigger.net/daily-swig/...t-to-drupal-and-other-downstream-applications

UPDATED Drupal, the widely used web content management system (CMS), has released security updates due to vulnerabilities in CKEditor, a third-party rich text editor bundled with Drupal.
Click to expand...

A pair of cross-site scripting (XSS) bugs, which are deemed ‘moderately critical’ by Drupal, could have a far-reaching impact since CKEditor is incorporated into numerous online applications.

Downloaded more than 30 million times, the open source WYSIWYG editor is used by Microsoft, Siemens, Volvo, Disney, Deloitte, and countless other organizations.
Drupal itself, which powers more than one million websites, has a huge install base.
Click to expand...

“Everyone who uses CKEditor 4 should upgrade the library. That affects many Drupal sites and also many other kinds of sites including CMS,” Greg Knaddison, volunteer member of the Drupal security team and senior director of information systems at the Morris Animal Foundation, tells The Daily Swig.
Malformed HTML
The XSS vulnerabilities could enable attackers to “inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code”, says CKSource,

They were found in the core HTML processing module by developer William Bowling and in the advanced content filter module by security researcher Maurice Dauer.
Click to expand...

The vulnerabilities echo another XSS found in CKEditor by Michał Bentkowski of Securitum in March 2020, as covered by The Daily Swig.
Click to expand...

Log in or Sign up

CKEditor vulnerabilities pose XSS threat to Drupal and other downstream applications

guest Guest

Log in or Sign up

CKEditor vulnerabilities pose XSS threat to Drupal and other downstream applications

guest Guest

Useful Searches