
<div dir="ltr">Project: Drupal core [1]<br>

Date: 2022-March-16<br>

Security risk: *Moderately critical* 13∕25<br>

AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2]<br>

Vulnerability: Third-party libraries<br>

<br>

CVE IDs: CVE-2022-24728CVE-2022-24729<br>

Description: <br>

The Drupal project uses the CKEditor [3] library for WYSIWYG editing.<br>

CKEditor has released a security update that impacts Drupal [4].<br>

<br>

Vulnerabilities are possible if Drupal is configured to allow use of the<br>

CKEditor library for WYSIWYG editing. An attacker that can create or edit<br>

content (even without access to CKEditor themselves) may be able to exploit<br>

one or more Cross-Site Scripting (XSS) vulnerabilities to target users with<br>

access to the WYSIWYG CKEditor, including site admins with privileged access.<br>

<br>

For more information, see CKEditor's security advisories:<br>

<br>

   * CVE-2022-24728: HTML processing vulnerability allowing to execute<br>

     JavaScript code [5]<br>

   * CVE-2022-24729: Regular expression Denial of Service in dialog plugin [6]<br>

<br>

This advisory is not covered by Drupal Steward [7].<br>

<br>

Solution: <br>

Install the latest version:<br>

<br>

   * If you are using Drupal 9.3, update to Drupal 9.3.8 [8].<br>

   * If you are using Drupal 9.2, update to Drupal 9.2.15 [9].<br>

<br>

All versions of Drupal 9 prior to 9.2.x are end-of-life and do not receive<br>

security coverage. Note that Drupal 8 has reached its end of life [10].<br>

<br>

.... Instructions for Drupal 7 and contributed modules<br>

<br>

Drupal 7 core is not affected, although Drupal 7, 8, and 9 site owners should<br>

review their site following the protocol for managing external libraries and<br>

plugins [11] previously suggested by the Drupal Security Team, as contributed<br>

projects may use additional CKEditor plugins not packaged in Drupal core.<br>

<br>

Users of the Webform module should ensure Webform's version of CKEditor 4 is<br>

also up-to-date after updating Drupal core and libraries for any affected<br>

contributed modules. If it is not, Webform users can try the following steps<br>

to update it:<br>

<br>

   1) If using Composer, run drush webform:libraries:composer ><br>

      DRUPAL_ROOT/composer.libraries.json and run composer update<br>

   2) If  using Drush without Composer, run drush webform:libraries:update.<br>

<br>

Learn more about updating Webform libraries. [12]<br>

<br>

Reported By: <br>

   * Jacek Bogdański [13]<br>

<br>

Fixed By: <br>

   * Jess  [14] of the Drupal Security Team<br>

   * Wim Leers [15]<br>

   * Lee Rowlands [16] of the Drupal Security Team<br>

<br>

<br>

[1] <a href="https://www.drupal.org/project/drupal" rel="noreferrer" target="_blank">https://www.drupal.org/project/drupal</a><br>

[2] <a href="https://www.drupal.org/security-team/risk-levels" rel="noreferrer" target="_blank">https://www.drupal.org/security-team/risk-levels</a><br>

[3] <a href="https://github.com/ckeditor/ckeditor4" rel="noreferrer" target="_blank">https://github.com/ckeditor/ckeditor4</a><br>

[4]<br>

<a href="https://ckeditor.com/blog/ckeditor-4.18.0-browser-bugfix-and-security-patches/" rel="noreferrer" target="_blank">https://ckeditor.com/blog/ckeditor-4.18.0-browser-bugfix-and-security-patches/</a><br>

[5]<br>

<a href="https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-4fc4-4p5g-6w89" rel="noreferrer" target="_blank">https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-4fc4-4p5g-6w89</a><br>

[6]<br>

<a href="https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-f6rf-9m92-x2hh" rel="noreferrer" target="_blank">https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-f6rf-9m92-x2hh</a><br>

[7] <a href="https://www.drupal.org/steward" rel="noreferrer" target="_blank">https://www.drupal.org/steward</a><br>

[8] <a href="https://www.drupal.org/project/drupal/releases/9.3.8" rel="noreferrer" target="_blank">https://www.drupal.org/project/drupal/releases/9.3.8</a><br>

[9] <a href="https://www.drupal.org/project/drupal/releases/9.2.15" rel="noreferrer" target="_blank">https://www.drupal.org/project/drupal/releases/9.2.15</a><br>

[10] <a href="https://www.drupal.org/psa-2021-06-29" rel="noreferrer" target="_blank">https://www.drupal.org/psa-2021-06-29</a><br>

[11] <a href="https://www.drupal.org/psa-2011-002" rel="noreferrer" target="_blank">https://www.drupal.org/psa-2011-002</a><br>

[12]<br>

<a href="https://www.drupal.org/docs/contributed-modules/webform/webform-libraries" rel="noreferrer" target="_blank">https://www.drupal.org/docs/contributed-modules/webform/webform-libraries</a><br>

[13] <a href="https://www.drupal.org/user/3683355" rel="noreferrer" target="_blank">https://www.drupal.org/user/3683355</a><br>

[14] <a href="https://www.drupal.org/user/65776" rel="noreferrer" target="_blank">https://www.drupal.org/user/65776</a><br>

[15] <a href="https://www.drupal.org/user/99777" rel="noreferrer" target="_blank">https://www.drupal.org/user/99777</a><br>

[16] <a href="https://www.drupal.org/user/395439" rel="noreferrer" target="_blank">https://www.drupal.org/user/395439</a><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div>===</div><div>Computer Security Incident Response Team - CSIRT</div><div>Universidade Estadual de Campinas - Unicamp</div><div>Centro de Computacao - CCUEC</div><div>GnuPG Public Key: <a href="http://www.security.unicamp.br/security.asc" target="_blank">http://www.security.unicamp.br/security.asc</a> [^]</div><div>Contato: +55 19 3521-2289 ou INOC-DBA: 1251*830</div></div></div></div></div>