[ICE-11554] Address vulnerability CVE-2022-24728 in CKEditor - ICEsoft JIRA Issue Tracker

Details

Type: Improvement
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: EE-4.3.0.GA_P04, EE-3.3.0.GA_P10
Fix Version/s: EE-4.3.0.GA_P05, EE-3.3.0.GA_P11
Component/s: ACE-Components
Labels:
None
Environment:
Any

Description

A supported customer recently brought to our attention that a Black Duck security scan reported that our CKEditor code, version 4.5.8, contains the vulnerability CVE-2022-24728, which is described as "CKEditor contains a code injection vulnerability in the core HTML processing module. This could allow an attacker to inject malformed HTML in order to execute JavaScript code."

This JIRA is to find a way to mitigate or eliminate this vulnerability in the most appropriate and feasible way.

Activity

Ascending order - Click to sort in descending order

Arturo Zambrano created issue - 19/Jun/23 9:16 AM

Arturo Zambrano made changes - 19/Jun/23 9:16 AM

Field	Original Value	New Value
Assignee		Arturo Zambrano [ artzambrano ]

Arturo Zambrano made changes - 19/Jun/23 9:16 AM

Fix Version/s		EE-4.3.0.GA_P05 [ 14073 ]
Fix Version/s		EE-3.3.0.GA_P11 [ 14074 ]

Hide

Permalink

Arturo Zambrano added a comment - 11/Dec/23 11:16 AM

With the upgrade to CKEditor version 4.22.1 as per ~~ICE-11558~~, this vulnerability has been removed.

Show

Arturo Zambrano added a comment - 11/Dec/23 11:16 AM With the upgrade to CKEditor version 4.22.1 as per ICE-11558 , this vulnerability has been removed.

Arturo Zambrano made changes - 11/Dec/23 11:17 AM

Status	Open [ 1 ]	Resolved [ 5 ]
Resolution		Fixed [ 1 ]

People

Assignee:

Arturo Zambrano

Reporter:

Arturo Zambrano

Votes:

0 Vote for this issue

Watchers:

1 Start watching this issue

Dates

Created:

19/Jun/23 9:16 AM

Updated:

11/Dec/23 11:17 AM

Resolved:

11/Dec/23 11:17 AM