[SECURITY-L] [Security-news] Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2021-003

CSIRT Unicamp security em unicamp.br
Quinta Maio 27 09:14:08 -03 2021 

View online: https://www.drupal.org/sa-core-2021-003

Project: Drupal core [1]
Date: 2021-May-26
Security risk: *Moderately critical* 14∕25
AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:Default [2]
Vulnerability: Cross Site Scripting

Description:
Drupal core uses the third-party CKEditor library. This library has an error
in parsing HTML that could lead to an XSS attack. CKEditor 4.16.1 and later
include the fix.

Users of the CKEditor library via means other than Drupal core should update
their 3rd party code (e.g. the WYSIWYG module for Drupal 7). The Drupal
Security Team policy is not to alert for issues affecting 3rd party
libraries
unless those are shipped with Drupal core. See DRUPAL-SA-PSA-2016-004 for
more details [3].

This issue is mitigated by the fact that it only affects sites with CKEditor
enabled.

Solution:
Install the latest version:

   * If you are using Drupal 9.1, update to Drupal 9.1.9 [4].
   * If you are using Drupal 9.0, update to Drupal 9.0.14 [5].
   * If you are using Drupal 8.9, update to Drupal 8.9.16 [6].

Versions of Drupal 8 prior to 8.9.x are end-of-life and do not receive
security coverage.

Reported By:
   * Or Sahar [7]

Fixed By:
   * Greg Knaddison [8] of the Drupal Security Team
   * Jess  [9] of the Drupal Security Team
   * Krzysztof Krzton [10]
   * Lee Rowlands [11] of the Drupal Security Team
   * Michael Hess [12] of the Drupal Security Team


[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/psa-2016-004
[4] https://www.drupal.org/project/drupal/releases/9.1.9
[5] https://www.drupal.org/project/drupal/releases/9.0.14
[6] https://www.drupal.org/project/drupal/releases/8.9.16
[7] https://www.drupal.org/user/3676145
[8] https://www.drupal.org/user/36762
[9] https://www.drupal.org/user/65776
[10] https://www.drupal.org/user/3618903
[11] https://www.drupal.org/user/395439
[12] https://www.drupal.org/user/102818

_______________________________________________
Security-news mailing list
Security-news em drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news


===
Computer Security Incident Response Team - CSIRT
Universidade Estadual de Campinas - Unicamp
Centro de Computacao - CCUEC
GnuPG Public Key: http://www.security.unicamp.br/security.asc [^]
Contato: +55 19 3521-2289 ou INOC-DBA: 1251*830
-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: <http://www.listas.unicamp.br/pipermail/security-l/attachments/20210527/ab849134/attachment.html>

Mais detalhes sobre a lista de discussão SECURITY-L