GHSA-qf65-hph9-453r: 
PHP vulnerability analysis and mitigation

The vulnerability (GHSA-qf65-hph9-453r) affects the CKEditor library integration in Drupal core, discovered and disclosed on August 12, 2021. This security issue impacts Drupal versions 8.0.0 through 8.9.16, 9.0.0 through 9.1.12, and 9.2.0 through 9.2.4. The vulnerability was classified as moderately critical, affecting systems configured to use CKEditor for WYSIWYG editing (Drupal Advisory).

The vulnerability is classified as a Cross-Site Scripting (XSS) issue with a CVSS v3.1 base score of 4.6 (Moderate severity). The attack vector is Network-based with low attack complexity, requiring low privileges and user interaction. The vulnerability maintains unchanged scope with low impacts on both confidentiality and integrity, while having no impact on availability (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N) (GitHub Advisory).

The vulnerability allows attackers with content creation or editing capabilities to potentially exploit Cross-Site Scripting (XSS) vulnerabilities, even without direct access to CKEditor. The primary targets are users with access to the WYSIWYG CKEditor, including site administrators with privileged access (Drupal Advisory).

Users are advised to update to the patched versions: Drupal 9.2.4, 9.1.12, or 8.9.16 depending on their current version. Drupal 7 core is not affected, but site owners across all versions should review their sites following the protocol for managing external libraries and plugins. This is particularly important as contributed projects may use additional CKEditor plugins not packaged in Drupal core (Drupal Advisory).