CVE No: CVE-2018-7600
Modification History: March 21 2018 – April 19 2018
CVSS Score: 9.8
Risk Level: Critical
Product Affected: Drupal 7.x, 8.3.x, 8.4.x, and 8.5.x
Drupal has been found critical vulnerability that could allow remote attackers to pull off advanced attacks including cookie theft, keylogging, phishing and identity theft.
Discovered by the Drupal security team, the open source content management framework is vulnerable to cross-site scripting (XSS) vulnerability that resides in a third-party plugin CKEditor which comes pre-integrated in Drupal core to help site administrators and users create interactive content.
According to a security advisory released by CKEditor, the XSS vulnerability stems from the improper validation of “img” tag in Enhanced Image plugin for CKEditor 4.5.11 and later versions
Enhanced Image plugin was introduced in CKEditor 4.3 and supports an advanced way of inserting images into the content using an editor.
CKEditor has patched the vulnerability with the release of CKEditor version 4.9.2, which has also been patched in the CMS by the Drupal security team with the release of Drupal version 8.5.2 and Drupal 8.4.7.
Since CKEditor plugin in Drupal 7.x is configured to load from the CDN servers, it is not affected by the flaw.
However, if you have installed the CKEditor plugin manually, you are advised to download and upgrade your plugin to the latest version from its official website.
Drupal recently patched another critical vulnerability, dubbed Drupalgeddon2, a remote code execution bug that allows an unauthenticated, remote attacker to execute malicious code on default or common Drupal installations under the privileges of the user, affecting all versions of Drupal from 6 to 8.
However, due to people’s laziness of patching their systems and websites timely, the Drupalgeddon2 vulnerability has been found exploiting in the wild by hackers to deliver cryptocurrency miners, backdoors, and other malware.
Therefore, users are highly recommended always to take security advisories seriously and keep their systems and software up-to-date in order to avoid become victims of any cyber-attack.
- Upgrade CKEditor 4.5.11+ to CKEditor 4.9.2 that contains a security fix for the Enhanced Image plugin.
- Sites on 8.3.x should immediately update to the 8.3.x release that will be provided in the advisory, and then plan to update to the latest 8.5.x security release in the next month.
- Sites on 8.4.x should immediately update to the 8.4.x release that will be provided in the advisory, and then plan to update to the latest 8.5.x security release in the next month.
- Sites on 7.x or 8.5.x can immediately update when the advisory is released using the normal procedure.