The flaw impacts CKEditor, a WYSIWYG HTML editor included in the Drupal core. CKEditor exposes users to XSS attacks due to a flaw in the Enhanced Image (image2) plugin.
“The vulnerability stemmed from the fact that it was possible to execute XSS inside CKEditor using the <img> tag and specially crafted HTML,” said CKEditor developers. “Please note that the default presets (Basic/Standard/Full) do not include this plugin, so you are only at risk if you made a custom build and enabled this plugin.”
XSS flaws can typically be exploited by getting the targeted user to click on a specially crafted link, and they allow attackers to execute arbitrary code, leading to session hijacking, data theft or phishing.
The security hole, discovered by Kyaw Min Thein, affects CKEditor versions 4.5.11 through 4.9.1, and it has been fixed with the release of version 4.9.2. The patched version of CKEditor has been included in Drupal 8.5.2 and 8.4.7.
This is the second Drupal security update in recent weeks. The previous update was released in late March and it addressed CVE-2018-7600, a highly critical remote code execution vulnerability that allows attackers to take control of impacted websites.
Dubbed Drupalgeddon2, the flaw has been exploited in the wild to deliver backdoors, cryptocurrency miners, and other types of malware. The first attempts to exploit the vulnerability were spotted in mid-April, shortly after technical details and proof-of-concept (PoC) code were made public.