search

galetahub / ckeditor

Ckeditor 4.x integration gem for rails
https://ckeditor.com/ckeditor-4/
MIT License
2.22k stars 881 forks source link

ckeditor version security vulnerabilities #914

Closed JSOUSA90 closed 2 years ago

JSOUSA90 commented 2 years ago

Description: CKEditor version used (4.11.3) has cross-site scripting and denial-of-service vulnerabilities associated with it.

References: https://vulners.com/cve/CVE-2020-9281 The HTML Data Processor for CKEditor, in versions prior to v4.16, allows remote attackers to inject arbitrary web script through a crafted “protected” comment (with the cke_protected syntax).

https://vulners.com/cve/CVE-2021-26272 It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted URL-like text into the editor, and then press Enter or Space (in the Autolink plugin).

Request: Please update to v4.16

stale[bot] commented 2 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.