Details
-
Security
-
Resolution: Fixed
-
Blocker
-
14.6-rc-1
-
Unknown
-
N/A
-
N/A
-
Pull Request accepted
-
Description
Reproduction steps:
- Log in as a standard user with edit rights
- visit http://localhost:8080/xwiki/bin/admin/XWiki/XWikiPreferences?editor=globaladmin§ion=WYSIWYG and click save at the bottom to create CKEditor.Config
- Edit CKEditor.Config
- In the Advanced Configuration field, add some javascript code (e.g., console.log('ckeditor'))
- With any user, edit a page
Expected result
- User cannot edit CKEditor.Config without Programming rights
Actual result
- Unprivileged users are able to inject javascript for any user editing using CKEditor
Note 1: It might also be possible to do the same by editing the default value of CKEditor.ConfigClass or by adding an XObject of this class when CKEditor.Config is missing
Note 2: The affect version needs to be updated, 14.10 is just a placeholder
Other things:
- CKEditor.ConfigSheet must be protected as well, otherwise there is a risk that some dangerous javascript is defined before and admin configures ckedior and copy a bad sheet
- The same is true for CKEditor.ConfigTemplate and CKEditor.AdminSection
Attachments
Issue Links
- is related to
-
CKEDITOR-508 Persistent XSS through CKEditor Configuration
-
- Closed
-
- links to