714184 – (SA-CORE-2020-001) <www-apps/drupal-{8.7.12,8.8.4}: XSS vulnerability in bundled CKEditor (SA-CORE-2020-001)

Bug 714184 (SA-CORE-2020-001) - <www-apps/drupal-{8.7.12,8.8.4}: XSS vulnerability in bundled CKEditor (SA-CORE-2020-001)

Summary: <www-apps/drupal-{8.7.12,8.8.4}: XSS vulnerability in bundled CKEditor (SA-CO...

Status:	RESOLVED FIXED

Alias:	SA-CORE-2020-001

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial (vote)
Assignee:	Gentoo Security

URL:	https://www.drupal.org/sa-core-2020-001
Whiteboard:	B4 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2020-03-24 15:17 UTC by Sam James
Modified:	2020-03-24 15:19 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2020-03-24 15:17:54 UTC

Description:
"Vulnerabilities are possible if Drupal is configured to use the WYSIWYG CKEditor for your site's users. An attacker that can create or edit content may be able to exploit this Cross Site Scripting (XSS) vulnerability to target users with access to the WYSIWYG CKEditor, and this may include site admins with privileged access."

Advisory in URL.

Comment 1 Sam James archtester

2020-03-24 15:19:56 UTC

Maintainer has already included fixed versions earlier today: https://github.com/gentoo/gentoo/commit/05b29c8bdb0d5ac4a3160c2840c72f36ad0781c2

Maintainer has already cleaned up: https://github.com/gentoo/gentoo/commit/1d2521746b2460bab32816563f1b2076e2459dbd