The Hacker News
It's time to update your Drupal websites, once again.

For the second time within a month, Drupal has been found vulnerable to another critical vulnerability that could allow remote attackers to pull off advanced attacks including cookie theft, keylogging, phishing and identity theft.

Discovered by the Drupal security team, the open source content management framework is vulnerable to cross-site scripting (XSS) vulnerability that resides in a third-party plugin CKEditor which comes pre-integrated in Drupal core to help site administrators and users create interactive content.

CKEditor is a popular JavaScript-based WYSIWYG rich text editor which is being used by many websites, as well as comes pre-installed with some popular web projects.

According to a security advisory released by CKEditor, the XSS vulnerability stems from the improper validation of "img" tag in Enhanced Image plugin for CKEditor 4.5.11 and later versions.
This could allow an attacker to execute arbitrary HTML and JavaScript code in the victim's browser and gain access to sensitive information.

Enhanced Image plugin was introduced in CKEditor 4.3 and supports an advanced way of inserting images into the content using an editor.
"The vulnerability stemmed from the fact that it was possible to execute XSS inside CKEditor when using the image2 plugin (which Drupal 8 core also uses)," the Drupal security team said.
CKEditor has patched the vulnerability with the release of CKEditor version 4.9.2, which has also been patched in the CMS by the Drupal security team with the release of Drupal version 8.5.2 and Drupal 8.4.7.

Since CKEditor plugin in Drupal 7.x is configured to load from the CDN servers, it is not affected by the flaw.

However, if you have installed the CKEditor plugin manually, you are advised to download and upgrade your plugin to the latest version from its official website.

Drupal recently patched another critical vulnerability, dubbed Drupalgeddon2, a remote code execution bug that allows an unauthenticated, remote attacker to execute malicious code on default or common Drupal installations under the privileges of the user, affecting all versions of Drupal from 6 to 8.

However, due to people's laziness of patching their systems and websites timely, the Drupalgeddon2 vulnerability has been found exploiting in the wild by hackers to deliver cryptocurrency miners, backdoors, and other malware.

Therefore, users are highly recommended always to take security advisories seriously and keep their systems and software up-to-date in order to avoid become victims of any cyber attack.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.