ArchLinux: 202106-35: drupal: cross-site scripting
Summary
Drupal core uses the third-party CKEditor library. This library has an error in parsing HTML that could lead to a cross-site scripting (XSS) attack. CKEditor 4.16.1 and later, as bundled with Drupal 9.1.9, include the fix.
Resolution
Upgrade to 9.1.10-1.
# pacman -Syu "drupal>=9.1.10-1"
The problem has been fixed upstream in version 9.1.10.
References
https://www.drupal.org/sa-core-2021-003 https://ckeditor.com/blog/upgrade-ckeditor-4-to-5/ https://security.archlinux.org/CVE-2021-33829
Workaround
None.