XSS vulnerability in CKEditor 'image2' plugin

Issue date: 26-04-2018
Affects versions: 12.2, 12.1, 11.2

Issue ID: SECURITY-65

Affected Product Version(s)
This vulnerability applies to CMS 12.2.0 and 11.2.6 and earlier versions.

Severity
normal

Description

CKSource released CKEditor 4.9.2 with a security fix: https://ckeditor.com/blog/CKEditor-4.9.2-with-a-security-patch-released

It fixes an XSS vulnerability in the image2 plugin, which is shipped in the Hippo CMS fork of CKEditor:

https://www.onehippo.org/library/concepts/document-types/html-fields/ckeditor-plugins.html

The image2 plugin is not enabled out of the box. So with the vanilla configuration of HTML fields, Hippo CMS is not vulnerable. Only customers that explicitly enabled the image2 plugin are vulnerable.

Vulnerable CKEditor versions are 4.5.11 and up, which are used by Hippo CMS 11.x and 12.x:

Hippo CMS 11.x uses CKEditor 4.5.11
Hippo CMS 12.x uses CKEditor 4.7.1

Hippo CMS 10 is not affected since it uses CKEditor 4.5.5.

Instructions

For all current supported CMS versions this vulnerability has been fixed, through code changes only, and only requires updating to the latest maintenance releases: CMS CMS 11.2.7, CMS 12.2.1 or CMS 12.3.0.

Get Started

Build a Website

Relevance Trail

Feed an AngularJS App

Understand Hippo

Implement Hippo

Extend Hippo

Integrate Hippo

Run Hippo

Upgrade Hippo

Develop Hippo

Use Hippo

Report an Issue

Bloomreach Documentation version

XSS vulnerability in CKEditor 'image2' plugin