XSS vulnerability in CKEditor 'image2' plugin 

Issue date: 26-04-2018
Affects versions: 12.2, 12.1, 11.2

Issue ID: SECURITY-65

Affected Product Version(s)
This vulnerability applies to CMS 12.2.0 and 11.2.6 and earlier versions.

Severity 
normal

Description

CKSource released CKEditor 4.9.2 with a security fix: https://ckeditor.com/blog/CKEditor-4.9.2-with-a-security-patch-released

It fixes an XSS vulnerability in the image2 plugin, which is shipped in the Hippo CMS fork of CKEditor:

https://www.onehippo.org/library/concepts/document-types/html-fields/ckeditor-plugins.html

The image2 plugin is not enabled out of the box. So with the vanilla configuration of HTML fields, Hippo CMS is not vulnerable. Only customers that explicitly enabled the image2 plugin are vulnerable.

Vulnerable CKEditor versions are 4.5.11 and up, which are used by Hippo CMS 11.x and 12.x:

  • Hippo CMS 11.x uses CKEditor 4.5.11
  • Hippo CMS 12.x uses CKEditor 4.7.1

Hippo CMS 10 is not affected since it uses CKEditor 4.5.5.

Instructions

For all current supported CMS versions this vulnerability has been fixed, through code changes only, and only requires updating to the latest maintenance releases: CMS CMS 11.2.7, CMS 12.2.1 or CMS 12.3.0.