Source: ckeditor3 X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerabilities were published for ckeditor4, but it needs to be checked to which extent ckeditor3 is affected and the patches in question backported. CVE-2014-5191[0]: | Cross-site scripting (XSS) vulnerability in the Preview plugin before | 4.4.3 in CKEditor allows remote attackers to inject arbitrary web | script or HTML via unspecified vectors. https://dev.ckeditor.com/browser/CKEditor/trunk/_source/plugins/preview/preview.html?rev=7706 (v3.6.x) https://github.com/ckeditor/ckeditor4/commit/b685874c6bc873a76e6e95916c43840a2b7ab08a (v4.4.3) CVE-2018-17960[1]: | CKEditor 4.x before 4.11.0 allows user-assisted XSS involving a | source-mode paste. CVE-2021-26271[2]: | It was possible to execute a ReDoS-type attack inside CKEditor 4 | before 4.16 by persuading a victim to paste crafted text into the | Styles input of specific dialogs (in the Advanced Tab for Dialogs | plugin). https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-416 CVE-2021-33829[3]: | A cross-site scripting (XSS) vulnerability in the HTML Data Processor | in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote | attackers to inject executable JavaScript code through a crafted | comment because --!> is mishandled. https://ckeditor.com/blog/ckeditor-4.16.1-with-accessibility-enhancements/#improvements-for-comments-in-html-parser https://github.com/ckeditor/ckeditor4/commit/3e426ce34f7fc7bf784624358831ef9e189bb6ed CVE-2021-37695[4]: | ckeditor is an open source WYSIWYG HTML editor with rich content | support. A potential vulnerability has been discovered in CKEditor 4 | [Fake Objects](https://ckeditor.com/cke4/addon/fakeobjects) package. | The vulnerability allowed to inject malformed Fake Objects HTML, which | could result in executing JavaScript code. It affects all users using | the CKEditor 4 plugins listed above at version < 4.16.2. The | problem has been recognized and patched. The fix will be available in | version 4.16.2. https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-m94c-37g6-cjhc https://github.com/ckeditor/ckeditor4/commit/de3c001540715f9c3801aaa38a1917de46cfcf58 CVE-2021-41165[5]: | CKEditor4 is an open source WYSIWYG HTML editor. In affected version a | vulnerability has been discovered in the core HTML processing module | and may affect all plugins used by CKEditor 4. The vulnerability | allowed to inject malformed comments HTML bypassing content | sanitization, which could result in executing JavaScript code. It | affects all users using the CKEditor 4 at version < 4.17.0. The | problem has been recognized and patched. The fix will be available in | version 4.17.0. https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7h26-63m7-qhf2 (v4.17.0) CVE-2022-24728[6]: | CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. | A vulnerability has been discovered in the core HTML processing module | and may affect all plugins used by CKEditor 4 prior to version 4.18.0. | The vulnerability allows someone to inject malformed HTML bypassing | content sanitization, which could result in executing JavaScript code. | This problem has been patched in version 4.18.0. There are currently | no known workarounds. https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-4fc4-4p5g-6w89 https://github.com/ckeditor/ckeditor4/commit/d158413449692d920a778503502dcb22881bc949 (4.18.0) CVE-2022-24729[7]: | CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. | CKEditor4 prior to version 4.18.0 contains a vulnerability in the | `dialog` plugin. The vulnerability allows abuse of a dialog input | validator regular expression, which can cause a significant | performance drop resulting in a browser tab freeze. A patch is | available in version 4.18.0. There are currently no known workarounds. https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-f6rf-9m92-x2hh If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2014-5191 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5191 [1] https://security-tracker.debian.org/tracker/CVE-2018-17960 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17960 [2] https://security-tracker.debian.org/tracker/CVE-2021-26271 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26271 [3] https://security-tracker.debian.org/tracker/CVE-2021-33829 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33829 [4] https://security-tracker.debian.org/tracker/CVE-2021-37695 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37695 [5] https://security-tracker.debian.org/tracker/CVE-2021-41165 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41165 [6] https://security-tracker.debian.org/tracker/CVE-2022-24728 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24728 [7] https://security-tracker.debian.org/tracker/CVE-2022-24729 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24729 Please adjust the affected versions in the BTS as needed.
