ASA-2018-00077 – TYPO3: Cross-Site Scripting in CKEditor using source area

Allele Security Alert



ASA-2018-00077, TYPO3-CORE-SA-2018-005, CVE-2018-17960


Cross-Site Scripting in CKEditor using source area


TYPO3 Association



Affected version(s)

TYPO3 8.5.0 to 8.7.20 and 9.0.0 to 9.5.1

Fixed version(s)

TYPO3 versions 8.7.21 or 9.5.2

Proof of concept



It has been discovered, that the third party library CKEditor is vulnerable to cross-site scripting. A valid backend user account is needed in order to exploit this vulnerability.

Technical details

CKEditor 4.11 fixes an XSS vulnerability in the HTML parser. The vulnerability stemmed from the fact that it was possible to execute XSS inside the CKEditor source area after persuading the victim to: (i) switch CKEditor to source mode, then (ii) paste a specially crafted HTML code, prepared by the attacker, into the opened CKEditor source area, and (iii) switch back to WYSIWYG mode. Although this is an unlikely scenario, we recommend to upgrade to the latest editor version.


maxarr, Peter Kraume and Benni Mack (TYPO3 core team)


TYPO3 9.5.2, 8.7.21 and 7.6.32 security releases published

TYPO3-CORE-SA-2018-005: Cross-Site Scripting in CKEditor

[SECURITY] Update library CKEditor to 4.11.1

CKEditor 4.11 with emoji dropdown and auto link on typing released

[TYPO3-announce] Announcing TYPO3 v9.5.2, v8.7.21 and v7.6.32 security releases



If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: February 1, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.