GHSA-337w-fxpq-5m34: 
PHP vulnerability analysis and mitigation

The vulnerability (GHSA-337w-fxpq-5m34) affects Drupal core's implementation of the CKEditor third-party library. Discovered and disclosed on March 18, 2020, this moderately critical vulnerability impacts Drupal versions 8.0.0 through 8.7.11 and 8.8.0 through 8.8.3. The issue was addressed in versions 8.7.12 and 8.8.4 (GitHub Advisory).

The vulnerability has been assigned a CVSS v3.1 score of 4.2 (Moderate severity) with the following vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N. This indicates a network-based attack vector with high complexity, requiring no privileges but necessitating user interaction. The scope is unchanged, with low impact on both confidentiality and integrity, and no impact on availability (GitHub Advisory).

The vulnerability primarily affects Drupal configurations that use the WYSIWYG CKEditor. When exploited, it can enable Cross-Site Scripting (XSS) attacks targeting users with access to the WYSIWYG CKEditor, potentially including site administrators with privileged access (GitHub Advisory).

The vulnerability has been patched in Drupal versions 8.7.12 and 8.8.4, which update CKEditor to version 4.14. Users are advised to upgrade to these patched versions to mitigate the vulnerability (GitHub Advisory).