Package: ckeditor X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerability was published for ckeditor. CVE-2024-43407[0]: | CKEditor4 is an open source what-you-see-is-what-you-get HTML | editor. A potential vulnerability has been discovered in CKEditor 4 | Code Snippet GeSHi plugin. The vulnerability allowed a reflected XSS | attack by exploiting a flaw in the GeSHi syntax highlighter library | hosted by the victim. The GeSHi library was included as a vendor | dependency in CKEditor 4 source files. In a specific scenario, an | attacker could craft a malicious script that could be executed by | sending a request to the GeSHi library hosted on a PHP web server. | The GeSHi library is no longer actively maintained. Due to the lack | of ongoing support and updates, potential security vulnerabilities | have been identified with its continued use. To mitigate these risks | and enhance the overall security of the CKEditor 4, we have decided | to completely remove the GeSHi library as a dependency. This change | aims to maintain a secure environment and reduce the risk of any | security incidents related to outdated or unsupported software. The | fix is be available in version 4.25.0-lts. https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7r32-vfj5-c2jv Fixed by removing the plugins/codesnippetgeshi/dev directory completely: https://github.com/ckeditor/ckeditor4/commit/71072c9f7f263329841bd38e7e5309074c82ef94 (4.25.0-lts) https://github.com/ckeditor/ckeditor4/commit/951e7d75fcbcaa2590b0719fb0bb0dd0539ca6fa (4.25.0-lts) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-43407 https://www.cve.org/CVERecord?id=CVE-2024-43407 Please adjust the affected versions in the BTS as needed. -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
