Drupal

SA-CONTRIB-2014-098 – CKEditor – Cross Site Scripting (XSS)

Leave a comment

Description

The CKEditor module (and its predecessor, FCKeditor module) allows Drupal to replace textarea fields with CKEditor 3.x/4.x (FCKeditor 2.x in case of FCKeditor module) – a visual HTML editor, sometimes called WYSIWYG editor.

Both modules define a function, called via an ajax request, that filters text before passing it into the editor, to prevent certain cross site scripting attacks on content edits (that the JavaScript library might not handle). Because the function did not check a CSRF token for anonymous users, it was possible to perform reflected XSS against anonymous users via CSRF.

The problem existed in CKEditor/FCKeditor modules for Drupal, not in JavaScript libraries with the same names.

CVE identifier(s) issued

  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.

Versions affected

  • CKEditor 7.x-1.x versions prior to 7.x-1.15.
  • CKEditor 6.x-1.x versions prior to 6.x-1.14.
  • FCKeditor 6.x-2.x versions prior to 6.x-2.3.

Drupal core is not affected. If you do not use the contributed CKEditor – WYSIWYG HTML editor module, there is nothing you need to do.

Solution

Install the latest version:

Also see the CKEditor – WYSIWYG HTML editor project page.

Reported by

Fixed by

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at
https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Drupal version: 
Drupal 6.x
Drupal 7.x

Leave a Reply