Security Alert (A21-08-08): Vulnerability in Drupal


 

Published on: 16 August 2021

Description:

Drupal has released a security advisory to address a vulnerability in the CKEditor library for WYSIWYG editing. A remote attacker may upload a maliciously crafted file to a vulnerable system to exploit the vulnerability.

Please note that Drupal 8 prior to version 8.9.x and Drupal 9 prior to version 9.1.x have reached End-Of-Life (EOL). No security updates will be provided after that. Users should arrange upgrading the Drupal to supported versions or migrating to other supported technology.

 

Affected Systems:

  • Drupal version 8.9.x
  • Drupal version 9.1.x
  • Drupal version 9.2.x

 

Impact:

Successful exploitation could lead to Cross-site scripting (XSS) attack and allow attacker to take control of an affected system.

 

Recommendation:

The product vendor has released patches to address the issues.

  • Drupal 8.9.18
    https://www.drupal.org/project/drupal/releases/8.9.18
  • Drupal 9.1.12
    https://www.drupal.org/project/drupal/releases/9.1.12
  • Drupal 9.2.4
    https://www.drupal.org/project/drupal/releases/9.2.4

System administrators should review if other distributions of the CKEditor plugin were installed and follow the protocol for managing external libraries and plugins suggested by the Drupal Security Team:

https://www.drupal.org/psa-2011-002

 

More Information:

  • https://www.drupal.org/sa-core-2021-005
  • https://www.drupal.org/core/release-cycle-overview
  • https://us-cert.cisa.gov/ncas/current-activity/2021/08/12/drupal-releases-security-updates

 



Tag: Drupal
Tags