Cross-site scripting (XSS) vulnerability in the Enhanced Image (aka image2) plugin for CKEditor (in versions 4.5.10 through 4.9.1; fixed in 4.9.2), as used in Drupal 8 before 8.4.7 and 8.5.x before 8.5.2 and other products, allows remote attackers to inject arbitrary web script through a crafted IMG element.

The remote Ubuntu 16.04 ESM host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-5340-2 advisory.

  - Cross-site scripting (XSS) vulnerability in the Enhanced Image (aka image2) plugin for CKEditor (in     versions 4.5.10 through 4.9.1; fixed in 4.9.2), as used in Drupal 8 before 8.4.7 and 8.5.x before 8.5.2     and other products, allows remote attackers to inject arbitrary web script through a crafted IMG element.
    (CVE-2018-9861)

  - A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor 4.0 before 4.14 allows     remote attackers to inject arbitrary web script through a crafted protected comment (with the     cke_protected syntax). (CVE-2020-9281)

  - ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has     been discovered in CKEditor 4 [Clipboard](https://ckeditor.com/cke4/addon/clipboard) package. The     vulnerability allowed to abuse paste functionality using malformed HTML, which could result in injecting     arbitrary HTML into the editor. It affects all users using the CKEditor 4 plugins listed above at version     >= 4.5.2. The problem has been recognized and patched. The fix will be available in version 4.16.2.
    (CVE-2021-32809)

  - A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x     before 4.16.1 allows remote attackers to inject executable JavaScript code through a crafted comment     because --!> is mishandled. (CVE-2021-33829)

  - ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has     been discovered in CKEditor 4 [Fake Objects](https://ckeditor.com/cke4/addon/fakeobjects) package. The     vulnerability allowed to inject malformed Fake Objects HTML, which could result in executing JavaScript     code. It affects all users using the CKEditor 4 plugins listed above at version < 4.16.2. The problem has     been recognized and patched. The fix will be available in version 4.16.2. (CVE-2021-37695)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 18.04 LTS / 20.04 LTS / 21.10 host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-5340-1 advisory.

  - Cross-site scripting (XSS) vulnerability in the Enhanced Image (aka image2) plugin for CKEditor (in     versions 4.5.10 through 4.9.1; fixed in 4.9.2), as used in Drupal 8 before 8.4.7 and 8.5.x before 8.5.2     and other products, allows remote attackers to inject arbitrary web script through a crafted IMG element.
    (CVE-2018-9861)

  - A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor 4.0 before 4.14 allows     remote attackers to inject arbitrary web script through a crafted protected comment (with the     cke_protected syntax). (CVE-2020-9281)

  - ckeditor is an open source WYSIWYG HTML editor with rich content support. A vulnerability has been     discovered in the clipboard Widget plugin if used alongside the undo feature. The vulnerability allows a     user to abuse undo functionality using malformed widget HTML, which could result in executing JavaScript     code. It affects all users using the CKEditor 4 plugins listed above at version >= 4.13.0. The problem has     been recognized and patched. The fix will be available in version 4.16.2. (CVE-2021-32808)

  - ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has     been discovered in CKEditor 4 [Clipboard](https://ckeditor.com/cke4/addon/clipboard) package. The     vulnerability allowed to abuse paste functionality using malformed HTML, which could result in injecting     arbitrary HTML into the editor. It affects all users using the CKEditor 4 plugins listed above at version     >= 4.5.2. The problem has been recognized and patched. The fix will be available in version 4.16.2.
    (CVE-2021-32809)

  - In NTFS-3G versions < 2021.8.22, when a specially crafted MFT section is supplied in an NTFS image a heap     buffer overflow can occur and allow for code execution. (CVE-2021-33289)

  - ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has     been discovered in CKEditor 4 [Fake Objects](https://ckeditor.com/cke4/addon/fakeobjects) package. The     vulnerability allowed to inject malformed Fake Objects HTML, which could result in executing JavaScript     code. It affects all users using the CKEditor 4 plugins listed above at version < 4.16.2. The problem has     been recognized and patched. The fix will be available in version 4.16.2. (CVE-2021-37695)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

- https://www.drupal.org/project/drupal/releases/8.4.8

    - https://www.drupal.org/SA-CORE-2018-004

- https://www.drupal.org/project/drupal/releases/8.4.7

    - https://www.drupal.org/sa-core-2018-003

RPM update: `drupal8-rpmbuild` package dependencies fixed

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to its self-reported version number, the detected Drupal application is affected by a cross-site scripting (XSS) vulnerability in the Enhanced Image (aka image2) plugin for CKEditor.

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of CKEditor installed on the remote host is affected by a cross-site scripting vulnerability.

The included 'Enhanced Image' plugin causes CKEditor to fail to properly sanitize user-supplied input. A remote, unauthenticated attacker can leverage this issue to inject arbitrary HTML and script code into a user's browser to be executed within the security context of the affected site.

ID	Name	Product	Family	Severity
183711	Ubuntu 16.04 ESM : CKEditor vulnerabilities (USN-5340-2)	Nessus	Ubuntu Local Security Checks	medium
159137	Ubuntu 18.04 LTS / 20.04 LTS : CKEditor vulnerabilities (USN-5340-1)	Nessus	Ubuntu Local Security Checks	medium
122651	Fedora 28 : ckeditor (2019-31ad8a36d8)	Nessus	Fedora Local Security Checks	medium
122627	Fedora 29 : ckeditor (2019-ae7f274d24)	Nessus	Fedora Local Security Checks	medium
120613	Fedora 28 : drupal8 (2018-8fd924a53d) (Drupalgeddon 2)	Nessus	Fedora Local Security Checks	critical
98572	Drupal 8.x < 8.4.7 Enhanced Image Plugin XSS	Web App Scanning	Component Vulnerability	medium
98571	Drupal 8.5.x < 8.5.2 Enhanced Image Plugin XSS	Web App Scanning	Component Vulnerability	medium
109705	Fedora 27 : drupal8 (2018-1ba93b3144) (Drupalgeddon 2)	Nessus	Fedora Local Security Checks	critical
109403	CKEditor 4.5.11 < 4.9.2 Enhanced Image Plugin XSS	Nessus	CGI abuses : XSS	medium

Detections

Analytics

CVE-2018-9861

medium

Tenable Plugins

medium

medium

medium

medium

critical

medium

medium

critical

medium