Drupal Security Team reports:
The Drupal project uses the third-party library CKEditor, which has
released a security improvement that is needed to protect some
Drupal configurations.
Vulnerabilities are possible if Drupal is configured to use the
WYSIWYG CKEditor for your site's users. An attacker that can createor
edit content may be able to exploit this Cross Site Scripting (XSS)
vulnerability to target users with access to the WYSIWYG CKEditor,
and this may include site admins with privileged access.
The latest versions of Drupal update CKEditor to 4.14 to mitigate
the vulnerabilities.
With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.
– Scott Cheney, Manager of Information Security, Sierra View Medical Center