Vulnerability from drupal
Published
2021-08-25 15:27
Modified
2023-08-11 17:01
Summary
Details

The Webform module uses the CKEditor, library for WYSIWYG editing. CKEditor has released a security update that impacts Webform.

An attacker that can create or edit content (even without access to CKEditor themselves) may be able to exploit one or more Cross-Site Scripting (XSS) vulnerabilities to target users with access to the WYSIWYG CKEditor, including site admins with privileged access.

For more information, see CKEditor's announcement of the release.

Credits
Lee Rowlands www.drupal.org/user/395439
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "affected_versions": "\u003c5.28.0 || \u003e=6.0.0 \u003c6.0.5"
      },
      "package": {
        "ecosystem": "Packagist:https://packages.drupal.org/8",
        "name": "drupal/webform"
      },
      "ranges": [
        {
          "database_specific": {
            "constraint": "\u003c5.28.0"
          },
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.28.0"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "database_specific": {
            "constraint": "\u003e=6.0.0 \u003c6.0.5"
          },
          "events": [
            {
              "introduced": "6.0.0"
            },
            {
              "fixed": "6.0.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "severity": []
    }
  ],
  "aliases": [],
  "credits": [
    {
      "contact": [
        "https://www.drupal.org/user/395439"
      ],
      "name": "Lee Rowlands"
    }
  ],
  "details": "The Webform module uses the [CKEditor](https://github.com/ckeditor/ckeditor4), library for WYSIWYG editing. CKEditor has released [a security update that impacts Webform](https://ckeditor.com/blog/ckeditor-4.16.2-with-browser-improvements-and-security-fixes/).\n\nAn attacker that can create or edit content (even without access to CKEditor themselves) may be able to exploit one or more Cross-Site Scripting (XSS) vulnerabilities to target users with access to the WYSIWYG CKEditor, including site admins with privileged access.\n\nFor more information, see [CKEditor\u0027s announcement of the release](https://ckeditor.com/blog/ckeditor-4.16.2-with-browser-improvements-and-security-fixes/).",
  "id": "DRUPAL-CONTRIB-2021-026",
  "modified": "2023-08-11T17:01:51.000Z",
  "published": "2021-08-25T15:27:54.000Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://www.drupal.org/sa-contrib-2021-026"
    }
  ],
  "schema_version": "1.7.0"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.