[Security-news] CKEditor 4 LTS - WYSIWYG HTML editor - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-009

security-news at drupal.org security-news at drupal.org
Wed Feb 14 20:08:09 UTC 2024


View online: https://www.drupal.org/sa-contrib-2024-009

Project: CKEditor 4 LTS - WYSIWYG HTML editor [1]
Date: 2024-February-14
Security risk: *Moderately critical* 12∕25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2]
Vulnerability: Cross Site Scripting

Affected versions: >=1.0.0 <1.0.1
Description: 
The CKEditor 4 LTS - WYSIWYG HTML editor module uses the CKEditor library for
WYSIWYG editing. CKEditor has released a security update [3] that on certain
configurations may impact the Drupal module that bundles and integrates this
code.

The vulnerability is mitigated by the fact it requires:

   1) full-page editing [4] mode is enabled
   2) or CDATA elements in Advanced Content Filtering configuration (defaults
      to script and style elements) are enabled.
   3) An attacker must have a permission with access to the CKEditor instance.

For more information, see CKEditor's security advisory:
CVE-2024-24815 [5]: Cross-site scripting (XSS) vulnerability caused by
incorrect CDATA detection

Solution: 
Install the latest version:

   * If you use the CKEditor 4 LTS - WYSIWYG HTML editor module for Drupal
     9.4+, upgrade to ckeditor_lts 1.0.1 [6]

Reported By: 
   * cilefen  [7] of the Drupal Security Team
   * Juraj Nemec [8] of the Drupal Security Team

Fixed By: 
   * Wojciech Kukowski [9]
   * Jacek Bogdański [10]
   * Dawid  [11]

Coordinated By: 
   * Greg Knaddison [12] of the Drupal Security Team
   * catch [13] of the Drupal Security Team


[1] https://www.drupal.org/project/ckeditor_lts
[2] https://www.drupal.org/security-team/risk-levels
[3] https://ckeditor.com/cke4/release/CKEditor-4.24.0-LTS
[4] https://ckeditor.com/docs/ckeditor4/latest/features/fullpage.html
[5]
https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-fq6h-4g8v-qqvm
[6] https://www.drupal.org/project/ckeditor_lts/releases/1.0.1
[7] https://www.drupal.org/user/1850070
[8] https://www.drupal.org/user/272316
[9] https://www.drupal.org/user/3104645
[10] https://www.drupal.org/user/3683355
[11] https://www.drupal.org/user/3741013
[12] https://www.drupal.org/user/36762
[13] https://www.drupal.org/user/35733



More information about the Security-news mailing list