[From nobody Wed Apr 8 08:45:07 2026 Received: (at submit) by bugs.debian.org; 2 Oct 2024 20:41:41 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.6-bugs.debian.org_2005_01_02 (2021-04-09) on buxtehude.debian.org X-Spam-Level: X-Spam-Status: No, score=-13.9 required=4.0 tests=BAYES_00, BODY_INCLUDES_PACKAGE,FOURLA,HAS_PACKAGE,MD5_SHA1_SUM,SPF_HELO_NONE, SPF_PASS,SUBJ_LACKS_WORDS autolearn=ham autolearn_force=no version=3.4.6-bugs.debian.org_2005_01_02 X-Spam-Bayes: score:0.0000 Tokens: new, 29; hammy, 150; neutral, 69; spammy, 0. spammytokens: hammytokens:0.000-+--H*r:jmm, 0.000-+--UD:security-tracker.debian.org, 0.000-+--security-tracker.debian.org, 0.000-+--securitytrackerdebianorg, 0.000-+--H*M:westfalen Return-path: <jmm@inutil.org> Received: from vps-b7ad3695.vps.ovh.net ([51.38.114.215]:40556) by buxtehude.debian.org with esmtps (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.94.2) (envelope-from <jmm@inutil.org>) id 1sw6AG-002N2K-02 for submit@bugs.debian.org; Wed, 02 Oct 2024 20:41:40 +0000 Received: from hullmann.fritz.box (p5089a1ba.dip0.t-ipconnect.de [80.137.161.186]) by vps-b7ad3695.vps.ovh.net (Postfix) with ESMTPSA id 4BA483F for <submit@bugs.debian.org>; Wed, 2 Oct 2024 20:41:38 +0000 (UTC) Received: from jmm by hullmann.fritz.box with local (Exim 4.98) (envelope-from <jmm@hullmann.westfalen.local>) id 1sw6AD-00000000A7L-0Ome for submit@bugs.debian.org; Wed, 02 Oct 2024 22:41:37 +0200 Date: Wed, 2 Oct 2024 22:41:37 +0200 To: submit@bugs.debian.org Subject: ckeditor: CVE-2024-43407 Message-ID: <Zv2wAfCvvMPn4TmJ@pisco.westfalen.local> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline From: =?UTF-8?Q?Moritz_M=C3=BChlenhoff?= <jmm@inutil.org> Delivered-To: submit@bugs.debian.org Package: ckeditor X-Debbugs-CC: team@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for ckeditor. CVE-2024-43407[0]: | CKEditor4 is an open source what-you-see-is-what-you-get HTML | editor. A potential vulnerability has been discovered in CKEditor 4 | Code Snippet GeSHi plugin. The vulnerability allowed a reflected XSS | attack by exploiting a flaw in the GeSHi syntax highlighter library | hosted by the victim. The GeSHi library was included as a vendor | dependency in CKEditor 4 source files. In a specific scenario, an | attacker could craft a malicious script that could be executed by | sending a request to the GeSHi library hosted on a PHP web server. | The GeSHi library is no longer actively maintained. Due to the lack | of ongoing support and updates, potential security vulnerabilities | have been identified with its continued use. To mitigate these risks | and enhance the overall security of the CKEditor 4, we have decided | to completely remove the GeSHi library as a dependency. This change | aims to maintain a secure environment and reduce the risk of any | security incidents related to outdated or unsupported software. The | fix is be available in version 4.25.0-lts. https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7r32-vfj5-c2jv Fixed by removing the plugins/codesnippetgeshi/dev directory completely: https://github.com/ckeditor/ckeditor4/commit/71072c9f7f263329841bd38e7e5309074c82ef94 (4.25.0-lts) https://github.com/ckeditor/ckeditor4/commit/951e7d75fcbcaa2590b0719fb0bb0dd0539ca6fa (4.25.0-lts) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-43407 https://www.cve.org/CVERecord?id=CVE-2024-43407 Please adjust the affected versions in the BTS as needed. ]