Arturo Zambrano added a comment - 10/Dec/24 1:37 AM - edited Out of the 5 vulnerabilities reported one the page referenced in the description, only two apply to our code. Two of those vulnerabilities are only present in sample files that come with CKEditor. We remove all sample files from the CKEditor code that we distribute as part of ICEfaces. Another vulnerability is only present in a plugin named GeSHi, which has to do with syntax highlighting for various programming languages. We do not include that plugin in our code. Moreover, it requires some back end setup besides its Javascript code. There are only two vulnerabilities that apply to our code and they have been now fixed in the 4.x trunk. Those vulnerabilities are described below: CVE-2024-43411 This was fixed by setting the CKEDITOR.config.versionCheck configuration setting to false, so that the editor doesn't contact the CKEditor 4 host server to check for newer versions. CVE-2024-24815 This was fixed by patching the HTML Parser module to prevent potential XSS exploits when entering raw HTML content in the editor.

Arturo Zambrano added a comment - 13/Dec/24 1:08 AM More related information can be found in the following URLs: https://security.snyk.io/package/npm/ckeditor4/4.22.1 https://ckeditor.com/docs/ckeditor4/latest/api/CKEDITOR_plugins_notification.html https://nvd.nist.gov/vuln/detail/CVE-2024-43411