Fluid Attacks Database

Description

Enhanced Image plugin for CKEditor is vulnerable to Cross-site scripting (XSS) The Enhanced Image (aka image2) plugin for CKEditor in versions 4.5.10 through 4.9.1; fixed in 4.9.2, and as used in Drupal 8 before 8.4.7 and 8.5.x before 8.5.2 and other products, is vulnerable to cross-site scripting because it allows remote attackers to inject arbitrary web script through a crafted IMG element.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
packagist	drupal/drupal	>=8.0 <8.4.7 \|\| >=8.5 <8.5.2	8.4.7, 8.5.2
npm	ckeditor-dev	>=4.5.10 <4.9.2	4.9.2
packagist	drupal/core	>=8.5.0 <8.5.2 \|\| >=8.0 <8.4.7	8.5.2, 8.4.7

Aliases

1. CVE-2018-98612. NVD-2018-98613. OSV-2018-98614. GCVE-2018-9861

References

1. https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2018-9861.yaml2. https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2018-9861.yaml3. https://github.com/ckeditor/ckeditor-dev/blob/master/CHANGES.md4. https://www.drupal.org/sa-core-2018-0035. https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html6. http://www.securityfocus.com/bid/103924