Drupal has released a moderately critical security update for Drupal 8. This security update (version 8.8.4) fixes third-party dependencies that are included in all Drupal 8 websites.
Drupal uses the CKEditor WYSIWYG editor which is used to manage HTML content on pages. The CKEditor team have released a security update to mitigate a vulnerability that has been found. An attacker that can create or edit content may be able to exploit a Cross Site Scripting (XSS) vulnerability to target users with access to the WYSIWYG CKEditor, and this may include site admins with privileged access.
Cross-site scripting (also known as XSS) is a web security vulnerability that allows an attacker to compromise the interactions that users have with a vulnerable application. It allows an attacker to circumvent the same origin policy, which is designed to segregate different websites from each other. Cross-site scripting vulnerabilities normally allow an attacker to masquerade as a victim user, to carry out any actions that the user is able to perform, and to access any of the user's data. If the victim user has privileged access within the application, then the attacker might be able to gain full control over all of the application's functionality and data.
Solution
The latest versions of Drupal includes CKEditor 4.14 which will mitigate the vulnerabilities. All Drupal 8 websites should be updated to the latest version of Drupal (versions 8.8.4).
Action
All Drupal 8 websites that are hosted with Enrega will be updated by our support team. For more information about the update process, please see our security updates for your website page.
If you have a shared hosting account, you can see our progress by following our support team on Twitter. If you have a custom website that is not in shared hosting, we'll let you know by email when we're done.
