DXPR Builder - Moderately critical - Cross Site Scripting - CKEditor 4.17.0

View all advisories / Read security policy

CKEditor, a third-party JavaScript library included in DXPR Builder, has fixed multiple vulnerabilities since we last updated this library.

Vulnerabilities are possible on any site that uses DXPR Builder as an editor. An attacker that can create or edit content (even without access to CKEditor themselves) may be able to exploit one or more Cross-Site Scripting (XSS) vulnerabilities to target users with access to DXPR Builder, including site admins with privileged access.

text adapted from: https://www.drupal.org/sa-core-2021-005

CKEditor security release included in this update:

4.17.0

Date

Tuesday, November 23, 2021 - 10:00

Product updates

DXPR Builder
1.x
1.5.4

DXPR Builder
7.x
1.3.3

Impact key

Moderately Critical

Security risk

AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default

Vulnerability

Cross Site Scripting

Solution

If you are using DXPR Builder, update to version 1.5.4 or 7.x-1.3.3.