Drupal Releases Security Updates

Threat ID:: CC-4058
Threat Severity:: Information only
Published:: 18 March 2022 3:53 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Affected platforms

The following platforms are known to be affected:

Versions: all prior to 9.3.8, all prior to 9.2.15

Drupal 9

Threat details

Prior versions of Drupal

Drupal 9 prior to 9.2.x and Drupal 8 are end-of-life and do not receive security coverage.

Drupal 7, 8, and 9 site owners should review their site following the protocol for managing external libraries and plugins previously suggested by the Drupal Security Team, as contributed projects may use additional CKEditor plugins not packaged in Drupal core.

Introduction

Drupal has released security updates to address cross-site scripting (XSS) and denial-of-service vulnerabilities in the third-party CKEditor library for what-you-see-is-what-you-get (WYSIWYG) editing. An attacker could exploit these vulnerabilities to take control of an affected system.

Remediation advice

Affected organisations are encouraged to review Drupal Security Advisories SA-CORE-2022-005 and apply the necessary updates.

Definitive source of threat updates

https://www.drupal.org/sa-core-2022-005

CVE Vulnerabilities

Status Published

CVE-2022-24728

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4 prior to version 4.18.0. The vulnerability allows someone to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. This problem has been patched in version 4.18.0. There are currently no known workarounds.

Status Published

CVE-2022-24729

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. CKEditor4 prior to version 4.18.0 contains a vulnerability in the `dialog` plugin. The vulnerability allows abuse of a dialog input validator regular expression, which can cause a significant performance drop resulting in a browser tab freeze. A patch is available in version 4.18.0. There are currently no known workarounds.

Last edited: 18 March 2022 3:53 pm