Another critical flaw has been found in Drupal website, the open source content management framework and it is time to update it once more.
Within a month it is the second time that a vulnerability has been found in Drupal which allows remote attackers to bring about advanced attacks including cookie theft, keylogging, phishing and identity theft.
This vulnerability was found by the Drupal security team and is vulnerable to cross-site scripting (XSS) that resides in a third-party plugin called CKEditor which is pre-integrated in Drupal core to help site administrators and users create interactive content.
Enhanced Image plugin was introduced in CKEditor 4.3 and supports an advanced way of inserting images into the content using an editor.
The Drupal Security team reports that the vulnerability occurred from the fact that it was possible to execute XSS inside CKEditor when using the image2 plugin (which Drupal 8 core also uses.
CKEditor has patched the vulnerability with the release of CKEditor version 4.9.2, which has also been patched in the CMS by the Drupal security team with the release of Drupal version 8.5.2 and Drupal 8.4.7.
The CKEditor plugin in Drupal 7.x is configured to load from the CDN servers, and so it is not affected by the flaw.
But if you have installed the CKEditor plugin manually, it is better to download and upgrade your plugin to the latest version from its official website.
Drupal recently patched another critical vulnerability, dubbed Drupalgeddon2 which has been exploited in the wild to deliver backdoors, cryptocurrency miners and other types of malware. It allows malicious attackers to take complete control of websites. This flaw affects Drupal 6, 7 and 8, and it was patched with updates released in late March. However, due to ignorance from the users to patch their systems and websites timely, the Drupalgeddon2 vulnerability has been found exploiting widely.
The users are therefore highly recommended to take security measures and aids seriously and keep their systems and software up-to-date in order to avoid becoming victims of any cyber attack.