it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
[IT-SecNots] [Security-news] CKEditor 4 LTS - WYSIWYG HTML editor - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-009
Chronologisch Thread
- From: security-news AT drupal.org
- To: security-news AT drupal.org
- Subject: [IT-SecNots] [Security-news] CKEditor 4 LTS - WYSIWYG HTML editor - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-009
- Date: Wed, 14 Feb 2024 20:08:09 +0000 (UTC)
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 6DFD584683
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org BDFA542E8D
- List-archive: <http://lists.drupal.org/pipermail/security-news/>
- List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2024-009
Project: CKEditor 4 LTS - WYSIWYG HTML editor [1]
Date: 2024-February-14
Security risk: *Moderately critical* 12∕25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2]
Vulnerability: Cross Site Scripting
Affected versions: >=1.0.0 <1.0.1
Description:
The CKEditor 4 LTS - WYSIWYG HTML editor module uses the CKEditor library for
WYSIWYG editing. CKEditor has released a security update [3] that on certain
configurations may impact the Drupal module that bundles and integrates this
code.
The vulnerability is mitigated by the fact it requires:
1) full-page editing [4] mode is enabled
2) or CDATA elements in Advanced Content Filtering configuration (defaults
to script and style elements) are enabled.
3) An attacker must have a permission with access to the CKEditor instance.
For more information, see CKEditor's security advisory:
CVE-2024-24815 [5]: Cross-site scripting (XSS) vulnerability caused by
incorrect CDATA detection
Solution:
Install the latest version:
* If you use the CKEditor 4 LTS - WYSIWYG HTML editor module for Drupal
9.4+, upgrade to ckeditor_lts 1.0.1 [6]
Reported By:
* cilefen [7] of the Drupal Security Team
* Juraj Nemec [8] of the Drupal Security Team
Fixed By:
* Wojciech Kukowski [9]
* Jacek Bogdański [10]
* Dawid [11]
Coordinated By:
* Greg Knaddison [12] of the Drupal Security Team
* catch [13] of the Drupal Security Team
[1] https://www.drupal.org/project/ckeditor_lts
[2] https://www.drupal.org/security-team/risk-levels
[3] https://ckeditor.com/cke4/release/CKEditor-4.24.0-LTS
[4] https://ckeditor.com/docs/ckeditor4/latest/features/fullpage.html
[5]
https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-fq6h-4g8v-qqvm
[6] https://www.drupal.org/project/ckeditor_lts/releases/1.0.1
[7] https://www.drupal.org/user/1850070
[8] https://www.drupal.org/user/272316
[9] https://www.drupal.org/user/3104645
[10] https://www.drupal.org/user/3683355
[11] https://www.drupal.org/user/3741013
[12] https://www.drupal.org/user/36762
[13] https://www.drupal.org/user/35733
_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news
- [IT-SecNots] [Security-news] CKEditor 4 LTS - WYSIWYG HTML editor - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-009, security-news, 14.02.2024
Archiv bereitgestellt durch MHonArc 2.6.19+.