Details
-
Type: Task
-
Status: Open
-
Priority: Major
-
Resolution: Unresolved
-
Affects Version/s: EE-4.3.0.GA_P05, EE-3.3.0.GA_P11
-
Fix Version/s: EE-4.3.0.GA_P06, EE-3.3.0.GA_P12
-
Component/s: ACE-Components
-
Labels:None
-
Environment:Any
Description
For our previous patch release, we updated our CKEditor code to version 4.22.1, which is the last version of the non-LTS CKEditor 4 line. Since then a number of vulnerabilities have been found and the respective fixes have been applied to the CKEditor 4 LTS, which is now at version 4.25.0. Since we don't use the LTS variant of CKEditor 4, we have to apply these security updates manually to our existing code. This JIRA is to apply those fixes.
More specific details about these vulnerabilities can be found on this page:
https://security.snyk.io/package/npm/ckeditor4/4.22.1
More specific details about these vulnerabilities can be found on this page:
https://security.snyk.io/package/npm/ckeditor4/4.22.1
Out of the 5 vulnerabilities reported one the page referenced in the description, only two apply to our code. Two of those vulnerabilities are only present in sample files that come with CKEditor. We remove all sample files from the CKEditor code that we distribute as part of ICEfaces. Another vulnerability is only present in a plugin named GeSHi, which has to do with syntax highlighting for various programming languages. We do not include that plugin in our code. Moreover, it requires some back end setup besides its Javascript code. There are only two vulnerabilities that apply to our code and they have been now fixed in the 4.x trunk. Those vulnerabilities are described below:
CVE-2024-43411
This was fixed by setting the CKEDITOR.config.versionCheck configuration setting to false, so that the editor doesn't contact the CKEditor 4 host server to check for newer versions.
CVE-2024-24815
This was fixed by patching the HTML Parser module to prevent potential XSS exploits when entering raw HTML content in the editor.