Hacking Drupal websites with XSS vulnerability

Even though companies take all necessary measures to protect their IT infrastructure, a cybersecurity incident affecting a third-party platform or service is enough to compromise several information security issues. This is what has happened in a component related to multiple platforms, including Drupal, one of the most popular content management systems (CMS).

A cybersecurity alert mentions that there is a cross-site scripting (XSS) vulnerability in CKEditor, a text editor included in multiple online applications.

It is mentioned that a threat actor could exploit this XSS vulnerability to attack users with access to CKEditor, which could include high-privileged site administrators.   

It should be mentioned that the exploitation of this vulnerability is highly complex, besides that hackers require tricking victims into copying specially designed HTML code to later paste it into CKEditor in “WYSIWYG” mode. In this regard, the developers of CKEditor mention: “Exploitation is an unlikely scenario, however, we recommend that our users upgrade to the latest version of the text editor”.

CKEditor announced the release of version 4.14, which contains fixes to address this vulnerability. According to the developers’ report, the flaw lies in the HTML data processor and was identified by security firm Securitum researchers.

On the other hand, Drupal issued a statement asking its users to upgrade to the version of the CMS that contains the updated version of CKEditor. In other words, website administrators will need to upgrade to Drupal versions 8.8.4 or 8.7.12.

Finally, Drupal mentioned in his security alert that this is a medium severity flaw, although it keeps mentioning that it is necessary to upgrade to the corrected versions.