Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 714184 (SA-CORE-2020-001)

Summary: <www-apps/drupal-{8.7.12,8.8.4}: XSS vulnerability in bundled CKEditor (SA-CORE-2020-001)
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: web-apps
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.drupal.org/sa-core-2020-001
Whiteboard: B4 [noglsa]
Package list:
Runtime testing required: ---

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-24 15:17:54 UTC 
Description:
"Vulnerabilities are possible if Drupal is configured to use the WYSIWYG CKEditor for your site's users. An attacker that can create or edit content may be able to exploit this Cross Site Scripting (XSS) vulnerability to target users with access to the WYSIWYG CKEditor, and this may include site admins with privileged access."

Advisory in URL.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-24 15:19:56 UTC 
Maintainer has already included fixed versions earlier today: https://github.com/gentoo/gentoo/commit/05b29c8bdb0d5ac4a3160c2840c72f36ad0781c2

Maintainer has already cleaned up: https://github.com/gentoo/gentoo/commit/1d2521746b2460bab32816563f1b2076e2459dbd