Bug #97239: Upgrade to CKEditor4 v4.18.0 - TYPO3 Core - TYPO3 Forge

Actions

Copy link

Bug #97239

closed

Upgrade to CKEditor4 v4.18.0

Added by Oliver Hader over 2 years ago. Updated about 2 years ago.

Status:

Closed

Priority:

Should have

Assignee:

Category:

RTE (rtehtmlarea + ckeditor)

Target version:

Start date:

2022-03-25

Due date:

% Done:

100%

Estimated time:

TYPO3 Version:

PHP Version:

Tags:

Complexity:

Is Regression:

Sprint Focus:

Description

Recent CKEditor4 v4.18.0 addressed several vulnerabilities:

see https://ckeditor.com/cke4/release/CKEditor-4.18.0 for details
CVE-2022-24728 (XSS via attributes & comments): https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-4fc4-4p5g-6w89
CVE-2022-24729 (reDoS via Dialog Plugin API): https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-f6rf-9m92-x2hh

Mentioned known vulnerabilities are not considered relevant for the TYPO3 backend user interface. By-passing CKEditor's XSS protection allows to store malicious markup in database fields, which is successfully mitigated during frontend rendering with typo3/html-sanitizer. That's why this issue is handled as regular bugfix.

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

TYPO3 Core

Custom queries

Bug #97239

Upgrade to CKEditor4 v4.18.0

Updated by Oliver Hader over 2 years ago

Updated by Oliver Hader over 2 years ago

Updated by Gerrit Code Review over 2 years ago

Updated by Gerrit Code Review over 2 years ago

Updated by Gerrit Code Review over 2 years ago

Updated by Oliver Hader over 2 years ago

Updated by Benni Mack about 2 years ago