Security Alert (A21-08-08): Vulnerability in Drupal
16 August 2021
Drupal has released a security advisory to address a vulnerability in the CKEditor library for WYSIWYG editing. A remote attacker may upload a maliciously crafted file to a vulnerable system to exploit the vulnerability.
Please note that Drupal 8 prior to version 8.9.x and Drupal 9 prior to version 9.1.x have reached End-Of-Life (EOL). No security updates will be provided after that. Users should arrange upgrading the Drupal to supported versions or migrating to other supported technology.
Drupal version 8.9.x
Drupal version 9.1.x
Drupal version 9.2.x
Successful exploitation could lead to Cross-site scripting (XSS) attack and allow attacker to take control of an affected system.
The product vendor has released patches to address the issues.
System administrators should review if other distributions of the CKEditor plugin were installed and follow the protocol for managing external libraries and plugins suggested by the Drupal Security Team: