Drupal has released a critical security update to address third-party library CKEditor XSS vulnerabilities in Drupal 8.7.x and 8.8.x.
Drupal upgraded to CKEditor version 4.14, a highly configurable WYSIWYG HTML editor. The latest CKEditor update patches two cross-site scripting (XSS) vulnerabilities as noted in a previous blog post.
“Vulnerabilities are possible if Drupal is configured to use the WYSIWYG CKEditor for your site’s users. An attacker that can create or edit content may be able to exploit this Cross Site Scripting (XSS) vulnerability to target users with access to the WYSIWYG CKEditor, and this may include site admins with privileged access,” Drupal warned in the advisory.
Drupal recommends you upgrade to Drupal 8.8.4 (if running Drupal 8.8.x) and upgrade to Drupal 8.7.12 (if running Drupal 8.7.x). Alternatively, administrators could disable the WYSIWYG modules to mitigate the vulnerability until the site is updated.