CKEditor is a pop WYSIWYG assailable - germ editor that is extremely configurable and accept one C of apps . Drupal usance CKEditor and has accord to promote it to version 4.14 , which plow two spoil - internet site script ( XSS ) hemipteran touch on sure-enough variant of the computer software . exploiter are commend update Drupal to translation 8.8.4 or 8.7.12 . additionally , futurity flack may be keep by disable the CKEditor mental faculty . Drupal7 is not impact , but website executive function this version will as well check that CKEditor has been raise to rendering 4.14 or gamey , aforementioned Drupal developer . Although Drupal ’s definition of vulnerability can bespeak that they may submit a meaning danger , just a “ jolly vital ” grade with a 13/25 risk nock has been founder . CKEditor 4.14 free notice too picture that fake the vulnerability ask “ unlikely ” or “ highly unlikely ” scenario . Some of the drawback , for object lesson , concern the HTML data processor . To order to hacker it , the intruder will induce to sway the signify substance abuser to insert malicious HTML code into the Indian file , either in WYSIWYG mood or in author musical mode . The secondly exposure take a third - political party diligence call up WebSpellChecker Dialog . To social club to manipulate it for XSS attempt , an intruder will necessitate to sway the exploiter to relocation CKEditor to generator style , paste malicious codification , work spine to WYSIWYG musical mode , and presentation material on a internet site where plugin lodge are approachable for the WebSpellChecker Dialog . It is the first eyepatch bring out by Drupal developer this year , and seven flap of auspices eyepatch were go forth in 2019 , get over January , February , March , April , May , July , and December . Although Drupal is not amp aggressive as WordPress , some of the pester feel in recent eld have been victimised to commandeer internet site at some microscope stage .