CKEditor - WYSIWYG HTML editor - Moderately critical - Cross site scripting - SA-CONTRIB-2020-007

Project: CKEditor - WYSIWYG HTML editorDate: 2020-March-18Security risk: Moderately critical 11∕25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross site scriptingDescription: The CKEditor module (and its predecessor, FCKeditor module) allows Drupal to replace textarea fields with CKEditor 3.x/4.x (FCKeditor 2.x in case of FCKeditor module) - a visual HTML editor, sometimes called WYSIWYG editor.
Due to the usage of the JavaScript `eval()` function on non-filtered data in admin section, it was possible for a user with permission to create content visible in the admin area to inject specially crafted malicious script which causes Cross Site Scripting (XSS).
The problem existed in CKEditor module for Drupal, not in JavaScript libraries with the same names.Solution: Install the latest version:

Also see the CKEditor- WYSIWYG HTML editor project pageReported By: 

Fixed By: 

Coordinated By: 

Path to article