Drupal 8.7.x < 8.7.12 / 8.8.x < 8.8.4 Drupal Vulnerability (SA-CORE-2020-001) (drupal-2020-03-18)

Medium Nessus Plugin ID 134702

Synopsis

A PHP application running on the remote web server is affected by a vulnerability.

Description

According to its self-reported version, the instance of Drupal running on the remote web server is 8.7.x prior to 8.7.12 or 8.8.x prior to 8.8.4. It is, therefore, affected by a vulnerability.

- The Drupal project uses the third-party library CKEditor, which has released a security improvement that is needed to protect some Drupal configurations.
Vulnerabilities are possible if Drupal is configured to use the WYSIWYG CKEditor for your sites users. When multiple people can edit content, the vulnerability can be used to execute XSS attacks against other people, including site admins with more access. The latest versions of Drupal update CKEditor to 4.14 to mitigate the vulnerabilities. (SA-CORE-2020-001)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Drupal version 8.7.12 / 8.8.4 or later.

See Also

https://www.drupal.org/sa-core-2020-001

http://www.nessus.org/u?54adedaa

https://github.com/ckeditor/ckeditor4

https://www.drupal.org/project/drupal/releases/8.7.12

https://www.drupal.org/project/drupal/releases/8.8.4

Plugin Details

Severity: Medium

ID: 134702

File Name: drupal_8_8_4.nasl

Version: 1.2

Type: remote

Family: CGI abuses

Published: 2020/03/19

Updated: 2020/03/27

Dependencies: 18638

Configuration: Enable paranoid mode

Risk Information

Risk Factor: Medium

Vulnerability Information

CPE: cpe:/a:drupal:drupal

Required KB Items: installed_sw/Drupal, Settings/ParanoidReport

Patch Publication Date: 2020/03/18

Vulnerability Publication Date: 2020/03/18

Reference Information

IAVA: 2020-A-0118