CKEditor 4 LTS - WYSIWYG HTML editor - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-009

Project: CKEditor 4 LTS - WYSIWYG HTML editorDate: 2024-February-14Security risk: Moderately critical 12∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross Site ScriptingAffected versions: >=1.0.0 <1.0.1Description: The CKEditor 4 LTS - WYSIWYG HTML editor module uses the CKEditor library for WYSIWYG editing. CKEditor has released a security update that on certain configurations may impact the Drupal module that bundles and integrates this code.
The vulnerability is mitigated by the fact it requires:

  1. full-page editing mode is enabled
  2. or CDATA elements in Advanced Content Filtering configuration (defaults to script and style elements) are enabled.
  3. An attacker must have a permission with access to the CKEditor instance.

For more information, see CKEditor's security advisory:
CVE-2024-24815: Cross-site scripting (XSS) vulnerability caused by incorrect CDATA detectionSolution: Install the latest version:

  • If you use the CKEditor 4 LTS - WYSIWYG HTML editor module for Drupal 9.4+, upgrade to ckeditor_lts 1.0.1

Reported By: 

Fixed By: 

Coordinated By: 

Path to article https://www.drupal.org/sa-contrib-2024-009