renovate[bot]
commented
8 months ago ⚠ Artifact update problem
Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.
♻ Renovate will retry this branch, including artifacts, only when one of the following happens:
- any of the package files in this branch needs updating, or
- the branch becomes conflicted, or
- you click the rebase/retry checkbox if found above, or
- you rename this PR's title to start with "rebase!" to trigger it manually
The artifact failure details are included below:
File name: composer.lock
Command failed: composer update ckeditor/ckeditor:4.24.0 --with-dependencies --ignore-platform-req='ext-*' --ignore-platform-req='lib-*' --no-ansi --no-interaction --no-scripts --no-autoloader --no-plugins
Loading composer repositories with package information
Updating dependencies
Your requirements could not be resolved to an installable set of packages.
Problem 1
- ezyang/htmlpurifier is locked to version v4.16.0 and an update of this package was not requested.
- ezyang/htmlpurifier v4.16.0 requires php ~5.6.0 || ~7.0.0 || ~7.1.0 || ~7.2.0 || ~7.3.0 || ~7.4.0 || ~8.0.0 || ~8.1.0 || ~8.2.0 -> your php version (8.3.3) does not satisfy that requirement.
Problem 2
- nette/php-generator is locked to version v3.6.9 and an update of this package was not requested.
- nette/php-generator v3.6.9 requires php >=7.2 <8.3 -> your php version (8.3.3) does not satisfy that requirement.
Problem 3
- ezyang/htmlpurifier v4.16.0 requires php ~5.6.0 || ~7.0.0 || ~7.1.0 || ~7.2.0 || ~7.3.0 || ~7.4.0 || ~8.0.0 || ~8.1.0 || ~8.2.0 -> your php version (8.3.3) does not satisfy that requirement.
- phpoffice/phpspreadsheet 1.29.0 requires ezyang/htmlpurifier ^4.15 -> satisfiable by ezyang/htmlpurifier[v4.16.0].
- phpoffice/phpspreadsheet is locked to version 1.29.0 and an update of this package was not requested.
This PR contains the following updates:
4.22.1->4.24.0GitHub Vulnerability Alerts
CVE-2024-24815
Affected packages
The vulnerability has been discovered in the core HTML parsing module and may affect all editor instances that:
scriptandstyleelements).Impact
A potential vulnerability has been discovered in CKEditor 4 HTML processing core module. The vulnerability allowed to inject malformed HTML content bypassing Advanced Content Filtering mechanism, which could result in executing JavaScript code. An attacker could abuse faulty CDATA content detection and use it to prepare an intentional attack on the editor. It affects all users using the CKEditor 4 at version < 4.24.0-lts.
Patches
The problem has been recognized and patched. The fix will be available in version 4.24.0-lts.
For more information
Email us at security@cksource.com if you have any questions or comments about this advisory.
Acknowledgements
The CKEditor 4 team would like to thank Michal Frýba from ALEF NULA for recognizing and reporting this vulnerability.
Release Notes
ckeditor/ckeditor4-releases (ckeditor/ckeditor)
### [`v4.24.0`](https://togithub.com/ckeditor/ckeditor4-releases/blob/HEAD/CHANGES.md#CKEditor-4240-lts) [Compare Source](https://togithub.com/ckeditor/ckeditor4-releases/compare/4.23.0...4.24.0) ⚠️️️ Please note that this release is a part of [CKEditor 4 Extended Support Model](https://ckeditor.com/ckeditor-4-support/), only available to customers who decided to acquire the LTS (Long Term Support) version of the editor. **All editor versions below 4.24.0-lts can no longer be considered as secure!** ⚠️ **Security Updates:** - Fixed cross-site scripting (XSS) vulnerability caused by incorrect CDATA detection reported by [Michal Frýba](https://cz.linkedin.com/in/michal-fryba), [ALEF NULA](https://www.alefnula.com/). Issue summary: The vulnerability allowed to inject malformed HTML content bypassing Advanced Content Filtering mechanism, which could result in executing JavaScript code. See [GHA](https://togithub.com/ckeditor/ckeditor4/security/advisories/GHSA-fq6h-4g8v-qqvm) for more details. - Fixed cross-site scripting (XSS) vulnerability in AJAX sample reported by Rafael Pedrero, see [INCIBE](https://www.incibe.es/en/incibe-cert/notices/aviso/cross-site-scripting-vulnerability-cksource-ckeditor) report. Issue summary: The vulnerability allowed to execute JavaScript code by abusing the AJAX sample. See [GHA](https://togithub.com/ckeditor/ckeditor4/security/advisories/GHSA-wh5w-82f3-wrxh) for more details. - Cross-site scripting (XSS) vulnerability in samples with enabled the preview feature reported by Marcin Wyczechowski & Michał Majchrowicz, AFINE Team. Issue summary: The vulnerability allowed to execute JavaScript code by abusing the misconfigured preview feature. See [GHA](https://togithub.com/ckeditor/ckeditor4/security/advisories/GHSA-mw2c-vx6j-mg76) for more details. You can read more details in the relevant security advisories. [Contact us](security@cksource.com) if you have more questions. **An upgrade is highly recommended!** Fixed Issues: - Fixed: The CDATA parsing mechanism incorrectly detects the end of CDATA content. This fix unifies how style and script elements are parsed with the browser's behavior. ### [`v4.23.0`](https://togithub.com/ckeditor/ckeditor4-releases/blob/HEAD/CHANGES.md#CKEditor-4230-lts) [Compare Source](https://togithub.com/ckeditor/ckeditor4-releases/compare/4.22.1...4.23.0) This release introduces the LTS (”Long Term Support”) version of the editor, available under commercial terms (["Extended Support Model"](https://ckeditor.com/ckeditor-4-support/)). If you acquired the Extended Support Model for CKEditor 4 LTS, please read [the CKEditor 4 LTS key activation guide.](https://ckeditor.com/docs/ckeditor4/latest/support/licensing/license-key-and-activation.html)Configuration
📅 Schedule: Branch creation - "" in timezone Europe/Warsaw, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.