4.6

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-qf65-hph9-453r

EPSS Score

CWE

CWE-79

Published

5/15/2024

Updated

5/15/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-qf65-hph9-453r

GHSA-qf65-hph9-453r: Drupal Cross-Site Scripting (XSS) affecting CKEditor Third-party library

The Drupal project uses the CKEditor, library for WYSIWYG editing. CKEditor has released a security update that impacts Drupal.

Vulnerabilities are possible if Drupal is configured to allow use of the CKEditor library for WYSIWYG editing. An attacker that can create or edit content (even without access to CKEditor themselves) may be able to exploit one or more Cross-Site Scripting (XSS) vulnerabilities to target users with access to the WYSIWYG CKEditor, including site admins with privileged access.

(GitHub Advisory)

4.6

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-qf65-hph9-453r

EPSS Score

CWE

CWE-79

Published

5/15/2024

Updated

5/15/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
drupal/drupal	composer	>= 8.0.0, < 8.9.16	8.9.16
drupal/drupal	composer	>= 9.0.0, < 9.1.12	9.1.12
drupal/drupal	composer	>= 9.2.0, < 9.2.4	9.2.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from Drupal's integration with an outdated CKEditor library rather than specific vulnerable functions within Drupal's codebase. The advisory indicates the XSS vulnerabilities exist in the third-party CKEditor component itself, which Drupal uses for WYSIWYG editing. The fix involves updating the CKEditor library dependency to a patched version, not modifying Drupal's internal functions. Without access to specific commit diffs or Drupal code changes related to this vulnerability, we cannot confidently identify specific Drupal functions that introduced the vulnerability. The security issue is resolved by updating the external library version constraint in Drupal's dependencies rather than patching specific PHP functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** *rup*l proj**t us*s t** *K**itor, li*r*ry *or WYSIWY* **itin*. *K**itor **s r*l**s** * s**urity up**t* t**t imp**ts *rup*l. Vuln*r**iliti*s *r* possi*l* i* *rup*l is *on*i*ur** to *llow us* o* t** *K**itor li*r*ry *or WYSIWY* **itin*. *n *tt**k*

Reasoning

T** vuln*r**ility st*ms *rom *rup*l's int**r*tion wit* *n out**t** `*K**itor` li*r*ry r*t**r t**n sp**i*i* vuln*r**l* *un*tions wit*in *rup*l's *o****s*. T** **visory in*i**t*s t** XSS vuln*r**iliti*s *xist in t** t*ir*-p*rty `*K**itor` *ompon*nt its

4.6

Basic Information

Concerned about an active attack path?

GHSA-qf65-hph9-453r: Drupal Cross-Site Scripting (XSS) affecting CKEditor Third-party library

4.6

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI