[IT-SecNots] [Security-news] CKEditor 5 Premium Features - Moderately critical - Access bypass - SA-CONTRIB-2025-118

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2025-118

Project: CKEditor 5 Premium Features [1]
Date: 2025-December-03
Security risk: *Moderately critical* 13 ∕ 25
AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:All [2]
Vulnerability: Access bypass

Affected versions: <1.2.10 || >=1.3.0 <1.3.6 || >=1.4.0 <1.4.3 || >=1.5.0
<1.5.1 || >=1.6.0 <1.6.4
CVE IDs: CVE-2025-13980
Description: 
The module provides instant integration of the official CKEditor 5 Premium
plugins into the Drupal editor configuration.

This module has a path traversal vulnerability, which allows an access bypass
to restricted image files in the system.

This access bypass is possible for any account with a /View published
content/ permission, but the risk is mitigated by the fact that only images
can be opened.

Solution: 
Install the latest version:

 * If you use the 10.3 or higher or 11.x versions of Drupal core, upgrade the
   module to CKEditor 5 Premium Features 1.6.4 [3].
 * If you use the 10.0 to 10.2 versions of Drupal core, upgrade the module to
   CKEditor 5 Premium Features 1.5.1 [4].
 * If you use the 9.x version of Drupal core, upgrade the module to CKEditor
   5 Premium Features 1.3.6 [5].

A fix was also released to already unsupported branches. However, we
recommend to use the latest version that works with the version of Drupal
core that you're using:

 * CKEditor 5 Premium Features 1.4.3 [6].
 * CKEditor 5 Premium Features 1.2.10 [7].

After the module is updated, if you are using the Export to Word or Export to
PDF plugins, please grant the /Use exporters endpoints/ permission to roles
that are allowed to use text formats with export plugins enabled.

Reported By: 
 * Wojciech Kukowski (salmonek) [8]

Fixed By: 
 * Wojciech Kukowski (salmonek) [9]

Coordinated By: 
 * Greg Knaddison (greggles) [10] of the Drupal Security Team
 * Juraj Nemec (poker10) [11] of the Drupal Security Team
 * Jess  (xjm) [12] of the Drupal Security Team

------------------------------------------------------------------------------
Contribution record [13]

[1] https://www.drupal.org/project/ckeditor5_premium_features
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/ckeditor5_premium_features/releases/1.6.4
[4] https://www.drupal.org/project/ckeditor5_premium_features/releases/1.5.1
[5] https://www.drupal.org/project/ckeditor5_premium_features/releases/1.3.6
[6] https://www.drupal.org/project/ckeditor5_premium_features/releases/1.4.3
[7] https://www.drupal.org/project/ckeditor5_premium_features/releases/1.2.10
[8] https://www.drupal.org/u/salmonek
[9] https://www.drupal.org/u/salmonek
[10] https://www.drupal.org/u/greggles
[11] https://www.drupal.org/u/poker10
[12] https://www.drupal.org/u/xjm
[13]  
https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal.org/node/3561307

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news