DRUPAL-CONTRIB-2021-026

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/webform/DRUPAL-CONTRIB-2021-026.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2021-026

Published

2021-08-25T15:27:54Z

Modified

2025-12-10T23:33:23.563047Z

Summary

[none]

Details

The Webform module uses the CKEditor, library for WYSIWYG editing. CKEditor has released a security update that impacts Webform.

An attacker that can create or edit content (even without access to CKEditor themselves) may be able to exploit one or more Cross-Site Scripting (XSS) vulnerabilities to target users with access to the WYSIWYG CKEditor, including site admins with privileged access.

For more information, see CKEditor's announcement of the release.

References

https://www.drupal.org/sa-contrib-2021-026

Credits

- Lee Rowlands
- - https://www.drupal.org/user/395439

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/webform

Package

Name: drupal/webform
Purl: pkg:composer/drupal/webform

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

5.28.0

Database specific

{
    "constraint": "<5.28.0"
}

Type

ECOSYSTEM

Events

Introduced

6.0.0

Fixed

6.0.5

Database specific

{
    "constraint": ">=6.0.0 <6.0.5"
}

Database specific

affected_versions

"<5.28.0 || >=6.0.0 <6.0.5"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/webform/DRUPAL-CONTRIB-2021-026.json"