<div dir="ltr"><div class="gmail_quote">View online: <a href="https://www.drupal.org/sa-core-2021-003" rel="noreferrer" target="_blank">https://www.drupal.org/sa-core-2021-003</a><br>
<br>
Project: Drupal core [1]<br>
Date: 2021-May-26<br>
Security risk: *Moderately critical* 14∕25<br>
AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:Default [2]<br>
Vulnerability: Cross Site Scripting<br>
<br>
Description: <br>
Drupal core uses the third-party CKEditor library. This library has an error<br>
in parsing HTML that could lead to an XSS attack. CKEditor 4.16.1 and later<br>
include the fix.<br>
<br>
Users of the CKEditor library via means other than Drupal core should update<br>
their 3rd party code (e.g. the WYSIWYG module for Drupal 7). The Drupal<br>
Security Team policy is not to alert for issues affecting 3rd party libraries<br>
unless those are shipped with Drupal core. See DRUPAL-SA-PSA-2016-004 for<br>
more details [3].<br>
<br>
This issue is mitigated by the fact that it only affects sites with CKEditor<br>
enabled.<br>
<br>
Solution: <br>
Install the latest version:<br>
<br>
   * If you are using Drupal 9.1, update to Drupal 9.1.9 [4].<br>
   * If you are using Drupal 9.0, update to Drupal 9.0.14 [5].<br>
   * If you are using Drupal 8.9, update to Drupal 8.9.16 [6].<br>
<br>
Versions of Drupal 8 prior to 8.9.x are end-of-life and do not receive<br>
security coverage.<br>
<br>
Reported By: <br>
   * Or Sahar [7]<br>
<br>
Fixed By: <br>
   * Greg Knaddison [8] of the Drupal Security Team<br>
   * Jess  [9] of the Drupal Security Team<br>
   * Krzysztof Krzton [10]<br>
   * Lee Rowlands [11] of the Drupal Security Team<br>
   * Michael Hess [12] of the Drupal Security Team<br>
<br>
<br>
[1] <a href="https://www.drupal.org/project/drupal" rel="noreferrer" target="_blank">https://www.drupal.org/project/drupal</a><br>
[2] <a href="https://www.drupal.org/security-team/risk-levels" rel="noreferrer" target="_blank">https://www.drupal.org/security-team/risk-levels</a><br>
[3] <a href="https://www.drupal.org/psa-2016-004" rel="noreferrer" target="_blank">https://www.drupal.org/psa-2016-004</a><br>
[4] <a href="https://www.drupal.org/project/drupal/releases/9.1.9" rel="noreferrer" target="_blank">https://www.drupal.org/project/drupal/releases/9.1.9</a><br>
[5] <a href="https://www.drupal.org/project/drupal/releases/9.0.14" rel="noreferrer" target="_blank">https://www.drupal.org/project/drupal/releases/9.0.14</a><br>
[6] <a href="https://www.drupal.org/project/drupal/releases/8.9.16" rel="noreferrer" target="_blank">https://www.drupal.org/project/drupal/releases/8.9.16</a><br>
[7] <a href="https://www.drupal.org/user/3676145" rel="noreferrer" target="_blank">https://www.drupal.org/user/3676145</a><br>
[8] <a href="https://www.drupal.org/user/36762" rel="noreferrer" target="_blank">https://www.drupal.org/user/36762</a><br>
[9] <a href="https://www.drupal.org/user/65776" rel="noreferrer" target="_blank">https://www.drupal.org/user/65776</a><br>
[10] <a href="https://www.drupal.org/user/3618903" rel="noreferrer" target="_blank">https://www.drupal.org/user/3618903</a><br>
[11] <a href="https://www.drupal.org/user/395439" rel="noreferrer" target="_blank">https://www.drupal.org/user/395439</a><br>
[12] <a href="https://www.drupal.org/user/102818" rel="noreferrer" target="_blank">https://www.drupal.org/user/102818</a><br>
<br>
_______________________________________________<br>
Security-news mailing list<br>
<a href="mailto:Security-news@drupal.org" target="_blank">Security-news@drupal.org</a><br>
Unsubscribe at <a href="https://lists.drupal.org/mailman/listinfo/security-news" rel="noreferrer" target="_blank">https://lists.drupal.org/mailman/listinfo/security-news</a></div><div class="gmail_quote"><br></div><div class="gmail_quote"><br clear="all"><div><div dir="ltr" class="gmail_signature"><div dir="ltr"><div>===</div><div>Computer Security Incident Response Team - CSIRT</div><div>Universidade Estadual de Campinas - Unicamp</div><div>Centro de Computacao - CCUEC</div><div>GnuPG Public Key: <a href="http://www.security.unicamp.br/security.asc" target="_blank">http://www.security.unicamp.br/security.asc</a> [^]</div><div>Contato: +55 19 3521-2289 ou INOC-DBA: 1251*830</div></div></div></div>
</div></div>