Bug #97239: Upgrade to CKEditor4 v4.18.0 - TYPO3 Core - TYPO3 Forge

Bug #97239

Updated by Oliver Hader over 2 years ago

Recent CKEditor4 v4.18.0 addressed several vulnerabilities: 

 * see https://ckeditor.com/cke4/release/CKEditor-4.18.0 for details 
 * CVE-2022-24728 (XSS via attributes & comments): https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-4fc4-4p5g-6w89 
 * CVE-2022-24729 (reDoS via Dialog Plugin API): https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-f6rf-9m92-x2hh 

 Mentioned known vulnerabilities of CKEditor4 <4.18.0 are not considered relevant for the TYPO3 backend user interface. By-passing CKEditor's XSS protection allows to store malicious markup in database fields, which is successfully mitigated during frontend rendering with @typo3/html-sanitizer@. That's why this issue is handled as regular bugfix.

Back

Project

General

Profile

TYPO3 Core

Bug #97239