Drupal Core Security Advisory: CKEditor 5 Vulnerability in Versions 10.0 to 10.2.9
Drupal core has issued a security advisory (SA-CORE-2024-002) regarding a moderately critical vulnerability affecting versions 10.0 to 10.2.9. The issue stems from improper error handling in the CKEditor 5 module, which, under certain uncommon site configurations, could result in image uploads moving the entire webroot to a different location on the file system. This vulnerability, while theoretical, could be exploited by malicious users to bring down a site.
The risk is mitigated by the fact that several non-default configurations must exist simultaneously for the vulnerability to be triggered. Drupal 10.3 and above, as well as Drupal 7, are unaffected by this issue.
Users running affected versions are advised to update to Drupal 10.2.10. Earlier versions of Drupal 10, as well as Drupal 8 and 9, have reached end-of-life and no longer receive security coverage. This issue was reported by Pierre Rudloff and addressed by members of the Drupal Security Team.
ASK: Drupal Community Needs Your Support
View all →
Note: The vision of this web portal is to help promote news and stories around the Drupal community and promote and celebrate the people and organizations in the community. We strive to create and distribute our content based on these content policy. If you see any omission/variation on this please reach out to us at #thedroptimes channel on Drupal Slack and we will try to address the issue as best we can.
Related People
You may also like
