Webform - Moderately critical - Cross Site Scripting - SA-CONTRIB-2021-026
Project: Webform Date: 2021-August-25 Security risk: Moderately critical 12∕25 Vulnerability: Cross Site Scripting
An attacker that can create or edit content (even without access to CKEditor themselves) may be able to exploit one or more Cross-Site Scripting (XSS) vulnerabilities to target users with access to the WYSIWYG CKEditor, including site admins with privileged access.
For more information, see CKEditor's announcement of the release.
Install the latest version:
If you are using a previous release of the Webform module you can immediately do one of several options.
- Update Drupal
- If you are using Composer, run
drush webform:libraries:composer > DRUPAL_ROOT/composer.libraries.jsonand run
- If you are using Drush, run
Learn more about updating Webform libraries.