ICEfaces
  1. ICEfaces
  2. ICE-11554

Address vulnerability CVE-2022-24728 in CKEditor

          Details

          • Type: Improvement Improvement
          • Status: Resolved
          • Priority: Major Major
          • Resolution: Fixed
          • Affects Version/s: EE-4.3.0.GA_P04, EE-3.3.0.GA_P10
          • Fix Version/s: EE-4.3.0.GA_P05, EE-3.3.0.GA_P11
          • Component/s: ACE-Components
          • Labels:
            None
          • Environment:
            Any

            Description

            A supported customer recently brought to our attention that a Black Duck security scan reported that our CKEditor code, version 4.5.8, contains the vulnerability CVE-2022-24728, which is described as "CKEditor contains a code injection vulnerability in the core HTML processing module. This could allow an attacker to inject malformed HTML in order to execute JavaScript code."

            This JIRA is to find a way to mitigate or eliminate this vulnerability in the most appropriate and feasible way.

              Activity

              Hide
              Permalink
              Arturo Zambrano added a comment -

              With the upgrade to CKEditor version 4.22.1 as per ICE-11558, this vulnerability has been removed.

              Show
              Arturo Zambrano added a comment - With the upgrade to CKEditor version 4.22.1 as per ICE-11558 , this vulnerability has been removed.

                People

                • Assignee:
                  Arturo Zambrano
                  Reporter:
                  Arturo Zambrano
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  1 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: