Allele Security Alert
ASA-2018-00078
Identifier(s)
ASA-2018-00078, TYPO3-CORE-SA-2018-005
Title
Cross-Site Scripting in CKEditor using img tag
Vendor(s)
TYPO3 Association
Product(s)
TYPO3
Affected version(s)
TYPO3 8.5.0 to 8.7.20 and 9.0.0 to 9.5.1
Fixed version(s)
TYPO3 versions 8.7.21 or 9.5.2
Proof of concept
Unknown
Description
It has been discovered, that the third party library CKEditor is vulnerable to cross-site scripting. A valid backend user account is needed in order to exploit this vulnerability.
Technical details
CKEditor 4.9.2 fixes an XSS vulnerability in the Enhanced Image (image2) plugin. The vulnerability stemmed from the fact that it was possible to execute XSS inside CKEditor using the <img> tag and specially crafted HTML.
Credits
Kyaw Min Thein, Peter Kraume and Benni Mack (TYPO3 core team)
Reference(s)
TYPO3 9.5.2, 8.7.21 and 7.6.32 security releases published
https://typo3.org/article/typo3-952-8721-and-7632-security-releases-published/
TYPO3-CORE-SA-2018-005: Cross-Site Scripting in CKEditor
https://typo3.org/security/advisory/typo3-core-sa-2018-005/
[SECURITY] Update library CKEditor to 4.11.1
https://github.com/TYPO3/TYPO3.CMS/commit/6959fc7c9cca6ff559682df7ee25a64879de5048
CKEditor 4.9.2 with a security patch released
https://ckeditor.com/blog/CKEditor-4.9.2-with-a-security-patch-released/#security-issue-fixed
[TYPO3-announce] Announcing TYPO3 v9.5.2, v8.7.21 and v7.6.32 security releases
http://lists.typo3.org/pipermail/typo3-announce/2018/000435.html
CVE-2018-17960
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17960
CVE-2018-17960
https://nvd.nist.gov/vuln/detail/CVE-2018-17960
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: February 1, 2019