CKEditor: XSS Issue

[cfpfeiff]

Hi,

We had a penetration testing of our application using Primefaces Extensions 7.0.3 (with CKEditor 4.11.2) and got this finding:

A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor 4.0 before 4.14 allows remote attackers to inject arbitrary web script through a crafted “protected” comment (with thecke_protected syntax). Recommendation: Update CKEditor to the latest version. sources: https://vulners.com/cve/CVE-2020-9281, https://ckeditor.com/cke4/release/CKEditor-4.14.0

[melloware]

Thanks @cfhuch let me see if I can upgrade it for 8.0.4+. This component is complex and upgrading it has been tricky in the past so wish me luck!

[melloware]

Upgraded to 4.14.1 with commit: https://github.com/primefaces-extensions/resources-ckeditor/commit/e9f7cc8673a87300ec8be9904dca7044c1480054

[melloware]

8.0.4 is now in Maven Central