ASA-2018-00077 – TYPO3: Cross-Site Scripting in CKEditor using source area

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2018-00077

Identifier(s)

ASA-2018-00077, TYPO3-CORE-SA-2018-005, CVE-2018-17960

Title

Cross-Site Scripting in CKEditor using source area

Vendor(s)

TYPO3 Association

Product(s)

TYPO3

Affected version(s)

TYPO3 8.5.0 to 8.7.20 and 9.0.0 to 9.5.1

Fixed version(s)

TYPO3 versions 8.7.21 or 9.5.2

Proof of concept

Unknown

Description

It has been discovered, that the third party library CKEditor is vulnerable to cross-site scripting. A valid backend user account is needed in order to exploit this vulnerability.

Technical details

CKEditor 4.11 fixes an XSS vulnerability in the HTML parser. The vulnerability stemmed from the fact that it was possible to execute XSS inside the CKEditor source area after persuading the victim to: (i) switch CKEditor to source mode, then (ii) paste a specially crafted HTML code, prepared by the attacker, into the opened CKEditor source area, and (iii) switch back to WYSIWYG mode. Although this is an unlikely scenario, we recommend to upgrade to the latest editor version.

Credits

maxarr, Peter Kraume and Benni Mack (TYPO3 core team)

Reference(s)

TYPO3 9.5.2, 8.7.21 and 7.6.32 security releases published
https://typo3.org/article/typo3-952-8721-and-7632-security-releases-published/

TYPO3-CORE-SA-2018-005: Cross-Site Scripting in CKEditor
https://typo3.org/security/advisory/typo3-core-sa-2018-005/

[SECURITY] Update library CKEditor to 4.11.1
https://github.com/TYPO3/TYPO3.CMS/commit/6959fc7c9cca6ff559682df7ee25a64879de5048

CKEditor 4.11 with emoji dropdown and auto link on typing released
https://ckeditor.com/blog/CKEditor-4.11-with-emoji-dropdown-and-auto-link-on-typing-released/#security-issue-fixed

[TYPO3-announce] Announcing TYPO3 v9.5.2, v8.7.21 and v7.6.32 security releases
http://lists.typo3.org/pipermail/typo3-announce/2018/000435.html

CVE-2018-17960
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17960

CVE-2018-17960
https://nvd.nist.gov/vuln/detail/CVE-2018-17960

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: February 1, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.