SynopsisA PHP application running on the remote web server is affected by a vulnerability.
DescriptionAccording to its self-reported version, the instance of Drupal running on the remote web server is 8.7.x prior to 8.7.12 or 8.8.x prior to 8.8.4. It is, therefore, affected by a vulnerability.
- The Drupal project uses the third-party library CKEditor, which has released a security improvement that is needed to protect some Drupal configurations.
Vulnerabilities are possible if Drupal is configured to use the WYSIWYG CKEditor for your sites users. When multiple people can edit content, the vulnerability can be used to execute XSS attacks against other people, including site admins with more access. The latest versions of Drupal update CKEditor to 4.14 to mitigate the vulnerabilities. (SA-CORE-2020-001)
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.
SolutionUpgrade to Drupal version 8.7.12 / 8.8.4 or later.