CVE-2018-9861

Name of the Vulnerable Software and Affected Versions CKEditor versions 4.5.10 through 4.9.1 Drupal 8 versions prior to 8.4.7 Drupal 8.5.x versions prior to 8.5.2

Description The issue allows remote attackers to inject arbitrary web script through a crafted IMG element, resulting in a cross-site scripting (XSS) vulnerability. This occurs because the Enhanced Image plugin for CKEditor does not properly validate user input.

Recommendations For CKEditor versions 4.5.10 through 4.9.1, update to version 4.9.2 to resolve the issue. For Drupal 8 versions prior to 8.4.7, update to version 8.4.7 or later. For Drupal 8.5.x versions prior to 8.5.2, update to version 8.5.2 or later. As a temporary workaround, consider disabling the Enhanced Image plugin until a patch is available. Restrict access to the image2 plugin to minimize the risk of exploitation. Avoid using crafted IMG elements in the affected API endpoints until the issue is resolved.