Allele Security Alert
ASA-2018-00077, TYPO3-CORE-SA-2018-005, CVE-2018-17960
Cross-Site Scripting in CKEditor using source area
TYPO3 8.5.0 to 8.7.20 and 9.0.0 to 9.5.1
TYPO3 versions 8.7.21 or 9.5.2
Proof of concept
It has been discovered, that the third party library CKEditor is vulnerable to cross-site scripting. A valid backend user account is needed in order to exploit this vulnerability.
CKEditor 4.11 fixes an XSS vulnerability in the HTML parser. The vulnerability stemmed from the fact that it was possible to execute XSS inside the CKEditor source area after persuading the victim to: (i) switch CKEditor to source mode, then (ii) paste a specially crafted HTML code, prepared by the attacker, into the opened CKEditor source area, and (iii) switch back to WYSIWYG mode. Although this is an unlikely scenario, we recommend to upgrade to the latest editor version.
maxarr, Peter Kraume and Benni Mack (TYPO3 core team)
TYPO3 9.5.2, 8.7.21 and 7.6.32 security releases published
TYPO3-CORE-SA-2018-005: Cross-Site Scripting in CKEditor
[SECURITY] Update library CKEditor to 4.11.1
CKEditor 4.11 with emoji dropdown and auto link on typing released
[TYPO3-announce] Announcing TYPO3 v9.5.2, v8.7.21 and v7.6.32 security releases
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: February 1, 2019