DXPR Builder - Moderately critical - Cross Site Scripting - CKEditor 4.16.2

View all advisories / Read security policy

CKEditor, a third-party JavaScript library included in DXPR Builder, has fixed multiple vulnerabilities since we last updated this library.

An attacker that can create or edit content (even without access to DXPR Builder themselves) may be able to exploit one or more Cross-Site Scripting (XSS) vulnerabilities to target users with access to the WYSIWYG CKEditor, including site admins with privileged access.

text adapted from: https://www.drupal.org/sa-core-2021-005

CKEditor security release included in this update:

4.16.2

Date

Tuesday, August 17, 2021 - 17:00

Product updates

DXPR Builder
7.x
1.3.2

DXPR Builder
1.x
1.5.0

Impact key

Moderately Critical

Security risk

AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default

Vulnerability

Cross Site Scripting

Solution

If you are using DXPR Builder, update to version 1.5.0 or 7.x-1.3.2.