You are here
Home > Preporuke > Nadogradnja za Drupal

Nadogradnja za Drupal

  • Detalji os-a: WN7
  • Važnost: IMP
  • Operativni sustavi: W, M, U, L
  • Kategorije: VIS, W08, LRH, LDE, LSU, FBS, LFE, LGE, LUB, APL

View online:

Project: Drupal core [1]
Date: 2018-April-18
Security risk: *Moderately critical* 12∕25
AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Cross Site Scripting

CKEditor, a third-party JavaScript library included in Drupal core, has fixed
a cross-site scripting (XSS) vulnerability [3]. The vulnerability stemmed
from the fact that it was possible to execute XSS inside CKEditor when using
the image2 plugin (which Drupal 8 core also uses).

We would like to thank the CKEditor team for patching the vulnerability and
coordinating the fix and release process, and matching the Drupal core
security window.

* If you are using Drupal 8, update to Drupal 8.5.2 [4] or Drupal 8.4.7
* The Drupal 7.x CKEditor contributed module [6] is not affected if you are
running CKEditor module 7.x-1.18 and using CKEditor from the CDN, since
currently uses a version of the CKEditor library that is not vulnerable.
* If you installed CKEditor in Drupal 7 using another method (for example
with the WYSIWYG [7] module or the CKEditor module with CKEditor locally)
and you’re using a version of CKEditor from 4.5.11 up to 4.9.1, update
the third-party JavaScript library by downloading CKEditor 4.9.2 from
CKEditor’s site [8].

Reported By:
* Kyaw Min Thein [9]

Fixed By:
* Marek Lewandowski [10] of the CKEditor team
* Wiktor Walc [11] of the CKEditor team
* Wim Leers [12]
* xjm [13] Of the Drupal Security Team
* Lee Rowlands [14] of the Drupal Security Team
* Daniel Wehner [15]
* Hai-Nam Nguyen [16]
* Matthew Grill [17]


Security-news mailing list
Unsubscribe at

AutorDanijel Kozinovic
Cert idNCERT-REF-2018-04-0001-ADV