Drupal has released a moderately critical security update for Drupal 8 and Drupal 9. This security update (version 8.9.16 and 9.1.9) fixes a vulnerability that has been identified by the Drupal security team.
Drupal core uses the third-party CKEditor library which is used to edit and format text on pages, particularly body content. This library has an error in parsing HTML that could lead to a cross-site scripting attack. As CKEditor is the default text editor for Drupal, it is recommend all sites update to the latest version of Drupal as soon as possible.
What is a cross-tie scripting vulnerability?
Cross-site scripting (also known as XSS) is a web security vulnerability that allows an attacker to compromise the interactions that users have with a vulnerable application (e.g. older versions of Drupal). It allows an attacker to circumvent the same origin policy, which is designed to segregate different websites from each other.
Cross-site scripting vulnerabilities normally allow an attacker to masquerade as a victim user, to carry out any actions that the user is able to perform, and to access any of the user's data. If the victim user has privileged access within the application, then the attacker might be able to gain full control over all of the application's functionality and data.
Solution
The latest versions of Drupal (version 8.9.16 and 9.1.9) will mitigate the vulnerability. All Drupal websites should be updated to the latest version of Drupal.
Action
All Drupal websites that are hosted with Enrega will be updated by our support team. For more information about the update process, please see our security updates for your website page.
If you have a shared hosting account with CMS support, your website you will receive an email which will notify you when your website will be updated. If you have a custom website that is not in shared hosting, or if you do not have CMS support, please get in touch with us to book a time to have the update done for you.
