Wysiwyg - Moderately critical - Cross site scripting - SA-CONTRIB-2022-003
Project: Wysiwyg
Date: 2022-January-05
Security risk: Moderately critical 14∕25
Vulnerability: Cross site scripting
Description
This module enables you to integrate various What-You-See-Is-What-You-Get (WYSIWYG) rich text editors into Drupal fields with text formats allowing markup for easier editing.
The module doesn't sufficiently sanitize user input before attaching a WYSIWYG editor to an input field such as a textarea. If the editor used has an XSS vulnerability this would allow for example a commenter to put specially crafted markup which could trigger the vulnerability when viewed in the editor by an administrator.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create content using a text format with an attached and XSS vulnerable rich text editor.
Solution:
Install the latest version:
- If you use the Wysiwyg module for Drupal 7.x, upgrade to WYSIWYG 7.x-2.9
After upgrading verify that text formats which have a WYSIWYG editor profile also uses a text filter, such as Core's "Limit allowed HTML tags", if accessible by untrusted users.
A list of known compatible input filters that will be applied is shown when configuring a WYSIWYG editor profile along with a status indicator.
It is recommended to always be using the latest stable version of any installed editor libraries.
We value your opinion. Please add your feedback.