825046 – (SA-CORE-2021-011) <www-apps/drupal-{8.9.20,9.1.15}: XSS vulnerability

Bug 825046 (SA-CORE-2021-011) - <www-apps/drupal-{8.9.20,9.1.15}: XSS vulnerability

Summary: <www-apps/drupal-{8.9.20,9.1.15}: XSS vulnerability

Status:	RESOLVED FIXED

Alias:	SA-CORE-2021-011

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial (vote)
Assignee:	Gentoo Security

URL:	https://www.drupal.org/sa-core-2021-011
Whiteboard:	~4 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2021-11-19 18:48 UTC by John Helmert III
Modified:	2022-05-04 15:31 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2021-11-19 18:48:42 UTC

"Vulnerabilities are possible if Drupal is configured to allow use of the CKEditor library for WYSIWYG editing. An attacker that can create or edit content (even without access to CKEditor themselves) may be able to exploit one or more Cross-Site Scripting (XSS) vulnerabilities to target users with access to the WYSIWYG CKEditor, including site admins with privileged access.
...
If you are using Drupal 9.2, update to Drupal 9.2.9.
If you are using Drupal 9.1, update to Drupal 9.1.14.
If you are using Drupal 8.9, update to Drupal 8.9.20."

Please bump.

Comment 1 Tupone Alfredo gentoo-dev

2022-05-04 09:41:11 UTC

commit 2a62cefe6dd6583f8d8de73447a70be15396bf52
Author: Alfredo Tupone <tupone@gentoo.org>
Date:   Wed May 4 11:35:32 2022 +0200

    www-apps/drupal: drop old versions

Comment 2 John Helmert III archtester

2022-05-04 15:31:26 UTC

Thanks!