Source: ckeditor Version: 4.19.1+dfsg-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for ckeditor. CVE-2023-28439[0]: | CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. | A cross-site scripting vulnerability has been discovered affecting | Iframe Dialog and Media Embed packages. The vulnerability may trigger | a JavaScript code after fulfilling special conditions: using one of | the affected packages on a web page with missing proper Content | Security Policy configuration; initializing the editor on an element | and using an element other than `<textarea>` as a base; and | destroying the editor instance. This vulnerability might affect a | small percentage of integrators that depend on dynamic editor | initialization/destroy mechanism. A fix is available in CKEditor4 | version 4.21.0. In some rare cases, a security fix may be considered a | breaking change. Starting from version 4.21.0, the Iframe Dialog | plugin applies the `sandbox` attribute by default, which restricts | JavaScript code execution in the iframe element. To change this | behavior, configure the `config.iframe_attributes` option. Also | starting from version 4.21.0, the Media Embed plugin regenerates the | entire content of the embed widget by default. To change this | behavior, configure the `config.embed_keepOriginalContent` option. | Those who choose to enable either of the more permissive options or | who cannot upgrade to a patched version should properly configure | Content Security Policy to avoid any potential security issues that | may arise from embedding iframe elements on their web page. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-28439 https://www.cve.org/CVERecord?id=CVE-2023-28439 [1] https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-vh5c-xwqv-cv9g [2] https://github.com/ckeditor/ckeditor4/commit/b85af23f020a61397c6c0024aef73f2c7f62bfef Please adjust the affected versions in the BTS as needed. Regards, Salvatore
