DRUPAL-CORE-2018-003

See a problem?

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/core/DRUPAL-CORE-2018-003.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CORE-2018-003

Aliases

Published

2018-04-18T15:34:09Z

Modified

2025-12-10T23:41:15.971028Z

Summary

[none]

Details

CKEditor, a third-party JavaScript library included in Drupal core, has fixed a cross-site scripting (XSS) vulnerability. The vulnerability stemmed from the fact that it was possible to execute XSS inside CKEditor when using the image2 plugin (which Drupal 8 core also uses).

We would like to thank the CKEditor team for patching the vulnerability and coordinating the fix and release process, and matching the Drupal core security window.

References

https://www.drupal.org/sa-core-2018-003

Credits

- Kyaw Min Thein
- - https://www.drupal.org/user/3560461

Affected packages

Packagist / drupal/core

Package

Name: drupal/core
Purl: pkg:composer/drupal/core

Affected ranges

Type

ECOSYSTEM

Events

Introduced

8.0.0

Fixed

8.4.7

Database specific

{
    "constraint": ">= 8.0.0 <8.4.7"
}

Type

ECOSYSTEM

Events

Introduced

8.5.0

Fixed

8.5.2

Database specific

{
    "constraint": ">=8.5.0 <8.5.2"
}

Affected versions

8.*

8.0.0

8.0.1

8.0.2

8.0.3

8.0.4

8.0.5

8.0.6

8.1.0-beta1

8.1.0-beta2

8.1.0-rc1

8.1.0

8.1.1

8.1.2

8.1.3

8.1.4

8.1.5

8.1.6

8.1.7

8.1.8

8.1.9

8.1.10

8.2.0-beta1

8.2.0-beta2

8.2.0-beta3

8.2.0-rc1

8.2.0-rc2

8.2.0

8.2.1

8.2.2

8.2.3

8.2.4

8.2.5

8.2.6

8.2.7

8.2.8

8.3.0-alpha1

8.3.0-beta1

8.3.0-rc1

8.3.0-rc2

8.3.0

8.3.1

8.3.2

8.3.3

8.3.4

8.3.5

8.3.6

8.3.7

8.3.8

8.3.9

8.4.0-alpha1

8.4.0-beta1

8.4.0-rc1

8.4.0-rc2

8.4.0

8.4.1

8.4.2

8.4.3

8.4.4

8.4.5

8.4.6

8.5.0

8.5.1

Database specific

affected_versions

">= 8.0.0 <8.4.7 || >=8.5.0 <8.5.2"