Webform - Moderately critical - Cross Site Scripting - SA-CONTRIB-2021-026

Project: WebformDate: 2021-August-25Security risk: Moderately critical 12∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross Site ScriptingDescription: The Webform module uses the CKEditor, library for WYSIWYG editing. CKEditor has released a security update that impacts Webform.
An attacker that can create or edit content (even without access to CKEditor themselves) may be able to exploit one or more Cross-Site Scripting (XSS) vulnerabilities to target users with access to the WYSIWYG CKEditor, including site admins with privileged access.
For more information, see CKEditor's announcement of the release.Solution: Install the latest version:

If you are using a previous release of the Webform module you can immediately do one of several options.

  1. Update Drupal
  2. If you are using Composer, run drush webform:libraries:composer > DRUPAL_ROOT/composer.libraries.json and run composer update
  3. If you are using Drush, run drush webform:libraries:update

Learn more about updating Webform libraries.Reported By: 

Fixed By: 

Coordinated By: 

Path to article https://www.drupal.org/sa-contrib-2021-026