XSS vulnerability in CKEditor 'image2' plugin
Issue date: 26-04-2018Affects versions: 12.2, 12.1, 11.2
Issue ID: SECURITY-65
Affected Product Version(s)
This vulnerability applies to CMS 12.2.0 and 11.2.6 and earlier versions.
Severity
normal
Description
CKSource released CKEditor 4.9.2 with a security fix: https://ckeditor.com/blog/CKEditor-4.9.2-with-a-security-patch-released
It fixes an XSS vulnerability in the image2 plugin, which is shipped in the Hippo CMS fork of CKEditor:
https://www.onehippo.org/library/concepts/document-types/html-fields/ckeditor-plugins.html
The image2 plugin is not enabled out of the box. So with the vanilla configuration of HTML fields, Hippo CMS is not vulnerable. Only customers that explicitly enabled the image2 plugin are vulnerable.
Vulnerable CKEditor versions are 4.5.11 and up, which are used by Hippo CMS 11.x and 12.x:
- Hippo CMS 11.x uses CKEditor 4.5.11
- Hippo CMS 12.x uses CKEditor 4.7.1
Hippo CMS 10 is not affected since it uses CKEditor 4.5.5.
Instructions
For all current supported CMS versions this vulnerability has been fixed, through code changes only, and only requires updating to the latest maintenance releases: CMS CMS 11.2.7, CMS 12.2.1 or CMS 12.3.0.