Detections
Analytics

Drupal 8.9.x < 8.9.16 / 9.x < 9.0.14 / 9.1.x < 9.1.9 Drupal Vulnerability (SA-CORE-2021-003)

high Nessus Plugin ID 149999

Language:

Synopsis

A PHP application running on the remote web server is affected by a vulnerability.

Description

According to its self-reported version, the instance of Drupal running on the remote web server is 8.9.x prior to 8.9.16, 9.x prior to 9.0.14, or 9.1.x prior to 9.1.9. It is, therefore, affected by a vulnerability.

 - Drupal core uses the third-party CKEditor library. This library has an error in parsing HTML that could lead to an XSS attack. CKEditor 4.16.1 and later include the fix. Users of the CKEditor library via means other than Drupal core should update their 3rd party code (e.g. the WYSIWYG module for Drupal 7). The Drupal Security Team policy is not to alert for issues affecting 3rd party libraries unless those are shipped with Drupal core. See DRUPAL-SA-PSA-2016-004 for more details. This issue is mitigated by the fact that it only affects sites with CKEditor enabled. (SA-CORE-2021-003)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Drupal version 8.9.16 / 9.0.14 / 9.1.9 or later.

See Also

https://www.drupal.org/sa-core-2021-003

https://www.drupal.org/project/drupal/releases/8.9.16

https://www.drupal.org/project/drupal/releases/9.0.14

https://www.drupal.org/project/drupal/releases/9.1.9

https://www.drupal.org/psa-2016-004

Plugin Details

Severity: High

ID: 149999

File Name: drupal_9_1_9.nasl

Version: 1.3

Type: remote

Family: CGI abuses

Published: 5/27/2021

Updated: 4/11/2022

Configuration: Enable paranoid mode, Enable thorough checks

Supported Sensors: Nessus

Vulnerability Information

CPE: cpe:/a:drupal:drupal

Required KB Items: Settings/ParanoidReport, installed_sw/Drupal

Exploit Ease: No known exploits are available

Patch Publication Date: 5/26/2021

Vulnerability Publication Date: 5/26/2021