18 Apr 2018

Another critical flaw has been found in Drupal website, the open source content management framework and it is time to update it once more.

Within a month it is the second time that a vulnerability has been found in Drupal which allows remote attackers to bring about advanced attacks including cookie theft, keylogging, phishing and identity theft.

This vulnerability was found by the Drupal security team and is vulnerable to cross-site scripting (XSS) that resides in a third-party plugin called CKEditor which is pre-integrated in Drupal core to help site administrators and users create interactive content.

CKEditor is a WYSIWYG rich text editor based on JavaScript that enables to write content directly inside of web pages or online applications. It is used by many websites and is pre-installed with some popular web projects.

As per the security advisory released by CKEditor, the XSS vulnerability comes from the improper validation of “img” tag in Enhanced Image plugin for CKEditor 4.5.11 and later versions. This will enable a hacker to execute arbitrary HTML and JavaScript code in the victim’s browser and gain access to their information.

Enhanced Image plugin was introduced in CKEditor 4.3 and supports an advanced way of inserting images into the content using an editor.

The Drupal Security team reports that the vulnerability occurred from the fact that it was possible to execute XSS inside CKEditor when using the image2 plugin (which Drupal 8 core also uses.

CKEditor has patched the vulnerability with the release of CKEditor version 4.9.2, which has also been patched in the CMS by the Drupal security team with the release of Drupal version 8.5.2 and Drupal 8.4.7.

The CKEditor plugin in Drupal 7.x is configured to load from the CDN servers, and so it is not affected by the flaw.

But if you have installed the CKEditor plugin manually, it is better to download and upgrade your plugin to the latest version from its official website.

Drupal recently patched another critical vulnerability, dubbed Drupalgeddon2 which has been exploited in the wild to deliver backdoors, cryptocurrency miners and other types of malware. It allows malicious attackers to take complete control of websites. This flaw affects Drupal 6, 7 and 8, and it was patched with updates released in late March. However, due to ignorance from the users to patch their systems and websites timely, the Drupalgeddon2 vulnerability has been found exploiting widely.

The users are therefore highly recommended to take security measures and aids seriously and keep their systems and software up-to-date in order to avoid becoming victims of any cyber attack.

Technical Writer,  Blogger,

Leave your thought

This site uses Akismet to reduce spam. Learn how your comment data is processed.