Patch

Drupal Core Cross Site Scripting Vulnerability - SA-CORE-2018-003

Updated

On April 18, 2018, Drupal released a security advisory regarding a Cross-Site Scripting vulnerability (XSS) in CKEditor, a third-party JavaScript library included in Drupal core. The image2 plugin inside of CKEditor allows for the execution of XSS using the <img> tag and specially crafted HTML. The vulnerability affects Drupal 8 users prior to 8.5.2 and 8.4.7; Drupal version 7 is not affected as it uses the non-vulnerable CKEditor library from the CDN, unless users  installed CKEditor version 4.5.11 to 4.9.1 using another method such as by using the WYSIWYG module. 

The IT Security office recommends that as soon as reasonably possible users update Drupal 8 to version 8.5.2 or 8.4.7, and if they installed CKEditor using an alternate method, they should update to version 4.9.2 of CKEditor. For more information about the vulnerability visit the Drupal site, https://www.drupal.org/sa-core-2018-003 and the CKEditor site, https://ckeditor.com/blog/CKEditor-4.9.2-with-a-security-patch-released/.