ICEfaces
  1. ICEfaces
  2. ICE-11563

Update our CKEditor code with new security fixes

    Details

    • Type: Task Task
    • Status: Open
    • Priority: Major Major
    • Resolution: Unresolved
    • Affects Version/s: EE-4.3.0.GA_P05, EE-3.3.0.GA_P11
    • Component/s: ACE-Components
    • Labels:
      None
    • Environment:
      Any

      Description

      For our previous patch release, we updated our CKEditor code to version 4.22.1, which is the last version of the non-LTS CKEditor 4 line. Since then a number of vulnerabilities have been found and the respective fixes have been applied to the CKEditor 4 LTS, which is now at version 4.25.0. Since we don't use the LTS variant of CKEditor 4, we have to apply these security updates manually to our existing code. This JIRA is to apply those fixes.

      More specific details about these vulnerabilities can be found on this page:

      https://security.snyk.io/package/npm/ckeditor4/4.22.1

        Activity

        Arturo Zambrano created issue -
        Arturo Zambrano made changes -
        Field Original Value New Value
        Fix Version/s EE-3.3.0.GA_P12 [ 14176 ]
        Arturo Zambrano made changes -
        Fix Version/s EE-4.3.0.GA_P06 [ 14175 ]
        Arturo Zambrano made changes -
        Affects Version/s EE-4.3.0.GA_P05 [ 14073 ]
        Hide
        Arturo Zambrano added a comment - - edited

        Out of the 5 vulnerabilities reported one the page referenced in the description, only two apply to our code. Two of those vulnerabilities are only present in sample files that come with CKEditor. We remove all sample files from the CKEditor code that we distribute as part of ICEfaces. Another vulnerability is only present in a plugin named GeSHi, which has to do with syntax highlighting for various programming languages. We do not include that plugin in our code. Moreover, it requires some back end setup besides its Javascript code. There are only two vulnerabilities that apply to our code and they have been now fixed in the 4.x trunk. Those vulnerabilities are described below:

        CVE-2024-43411
        This was fixed by setting the CKEDITOR.config.versionCheck configuration setting to false, so that the editor doesn't contact the CKEditor 4 host server to check for newer versions.

        CVE-2024-24815
        This was fixed by patching the HTML Parser module to prevent potential XSS exploits when entering raw HTML content in the editor.

        Show
        Arturo Zambrano added a comment - - edited Out of the 5 vulnerabilities reported one the page referenced in the description, only two apply to our code. Two of those vulnerabilities are only present in sample files that come with CKEditor. We remove all sample files from the CKEditor code that we distribute as part of ICEfaces. Another vulnerability is only present in a plugin named GeSHi, which has to do with syntax highlighting for various programming languages. We do not include that plugin in our code. Moreover, it requires some back end setup besides its Javascript code. There are only two vulnerabilities that apply to our code and they have been now fixed in the 4.x trunk. Those vulnerabilities are described below: CVE-2024-43411 This was fixed by setting the CKEDITOR.config.versionCheck configuration setting to false, so that the editor doesn't contact the CKEditor 4 host server to check for newer versions. CVE-2024-24815 This was fixed by patching the HTML Parser module to prevent potential XSS exploits when entering raw HTML content in the editor.
        Show
        Arturo Zambrano added a comment - More related information can be found in the following URLs: https://security.snyk.io/package/npm/ckeditor4/4.22.1 https://ckeditor.com/docs/ckeditor4/latest/api/CKEDITOR_plugins_notification.html https://nvd.nist.gov/vuln/detail/CVE-2024-43411

          People

          • Assignee:
            Arturo Zambrano
            Reporter:
            Arturo Zambrano
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated: