Source: ckeditor3 X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerability was published for ckeditor3. CVE-2023-28439[0]: | CKEditor4 is an open source what-you-see-is-what-you-get HTML | editor. A cross-site scripting vulnerability has been discovered | affecting Iframe Dialog and Media Embed packages. The vulnerability | may trigger a JavaScript code after fulfilling special conditions: | using one of the affected packages on a web page with missing proper | Content Security Policy configuration; initializing the editor on an | element and using an element other than `<textarea>` as a base; and | destroying the editor instance. This vulnerability might affect a | small percentage of integrators that depend on dynamic editor | initialization/destroy mechanism. A fix is available in CKEditor4 | version 4.21.0. In some rare cases, a security fix may be considered | a breaking change. Starting from version 4.21.0, the Iframe Dialog | plugin applies the `sandbox` attribute by default, which restricts | JavaScript code execution in the iframe element. To change this | behavior, configure the `config.iframe_attributes` option. Also | starting from version 4.21.0, the Media Embed plugin regenerates the | entire content of the embed widget by default. To change this | behavior, configure the `config.embed_keepOriginalContent` option. | Those who choose to enable either of the more permissive options or | who cannot upgrade to a patched version should properly configure | Content Security Policy to avoid any potential security issues that | may arise from embedding iframe elements on their web page. https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-vh5c-xwqv-cv9g https://github.com/ckeditor/ckeditor4/commit/b85af23f020a61397c6c0024aef73f2c7f62bfef (4.21.0) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-28439 https://www.cve.org/CVERecord?id=CVE-2023-28439 Please adjust the affected versions in the BTS as needed.