Bug #97239
Updated by Oliver Hader over 2 years ago
Recent CKEditor4 v4.18.0 addressed several vulnerabilities: * see https://ckeditor.com/cke4/release/CKEditor-4.18.0 for details * CVE-2022-24728 (XSS via attributes attribtes & comments): https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-4fc4-4p5g-6w89 * CVE-2022-24729 (reDoS via Dialog Plugin API): https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-f6rf-9m92-x2hh Mentioned known vulnerabilities of CKEditor4 <4.18.0 are not considered relevant severe for the TYPO3 backend user interface. backend. By-passing CKEditor's XSS protection allows to store malicious markup in database fields, which is successfully mitigated during frontend rendering with @typo3/html-sanitizer@. That's why this issue is handled as regular bugfix.