[Pkg-javascript-devel] Bug#1083192: ckeditor: CVE-2024-43407

[Moritz Mühlenhoff]

Package: ckeditor
X-Debbugs-CC: team at security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for ckeditor.

CVE-2024-43407[0]:
| CKEditor4 is an open source what-you-see-is-what-you-get HTML
| editor. A potential vulnerability has been discovered in CKEditor 4
| Code Snippet GeSHi plugin. The vulnerability allowed a reflected XSS
| attack by exploiting a flaw in the GeSHi syntax highlighter library
| hosted by the victim. The GeSHi library was included as a vendor
| dependency in CKEditor 4 source files. In a specific scenario, an
| attacker could craft a malicious script that could be executed by
| sending a request to the GeSHi library hosted on a PHP web server.
| The GeSHi library is no longer actively maintained. Due to the lack
| of ongoing support and updates, potential security vulnerabilities
| have been identified with its continued use. To mitigate these risks
| and enhance the overall security of the CKEditor 4, we have decided
| to completely remove the GeSHi library as a dependency. This change
| aims to maintain a secure environment and reduce the risk of any
| security incidents related to outdated or unsupported software. The
| fix is be available in version 4.25.0-lts.

https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7r32-vfj5-c2jv

Fixed by removing the plugins/codesnippetgeshi/dev directory completely:
https://github.com/ckeditor/ckeditor4/commit/71072c9f7f263329841bd38e7e5309074c82ef94 (4.25.0-lts)
https://github.com/ckeditor/ckeditor4/commit/951e7d75fcbcaa2590b0719fb0bb0dd0539ca6fa (4.25.0-lts)


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-43407
    https://www.cve.org/CVERecord?id=CVE-2024-43407

Please adjust the affected versions in the BTS as needed.