CKEditor versions 4.5.11 through 4.9.1 have a cross-site scripting (XSS) vulnerability when using the image2 plugin. CKEditor bundled with Drupal 8 is fixed in versions 8.5.2 and 8.4.7. The Drupal 7.x CKEditor version 1.18 is not vulnerable. External References: https://www.drupal.org/sa-core-2018-003 Upstream patch: https://github.com/ckeditor/ckeditor-dev/commit/aab10e3d0ad6a11cfb4eab47f1c0353593dd4f00
Created ckeditor tracking bugs for this issue: Affects: fedora-all [bug 1569829] Created drupal8 tracking bugs for this issue: Affects: fedora-all [bug 1569830]
All dependent bugs have been closed. Can this tracking bug be closed?
In reply to comment #2: > All dependent bugs have been closed. Can this tracking bug be closed? Yep, closed.