Vulnerability DatabaseGHSA-vfgc-c76h-mwh4

GHSA-vfgc-c76h-mwh4:
PHP vulnerability analysis and mitigation

Overview

The vulnerability (GHSA-vfgc-c76h-mwh4) affects Drupal core and involves Cross-Site Scripting (XSS) vulnerabilities related to the CKEditor library used for WYSIWYG editing. The issue was identified and disclosed with a moderate severity rating, affecting multiple versions of Drupal 8.x and 9.x series (GitHub Advisory).

Technical details

The vulnerability has been assigned a CVSS v3.1 score of 5.3 (Moderate), with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N. The technical assessment indicates a network-based attack vector with high attack complexity, requiring no privileges but necessitating user interaction. The scope is unchanged, with no impact on confidentiality, high impact on integrity, and no impact on availability (GitHub Advisory).

Impact

The vulnerability could allow an attacker who can create or edit content to exploit Cross-Site Scripting (XSS) vulnerabilities, even without direct access to CKEditor. The primary targets are users with access to the WYSIWYG CKEditor, including site administrators with privileged access (GitHub Advisory).

Mitigation and workarounds

The vulnerability has been patched in Drupal versions 8.9.18, 9.1.12, and 9.2.4. Users are advised to upgrade to these patched versions to mitigate the risk (GitHub Advisory).