Uploaded image for project: '{RETIRED} CKEditor Integration'
  1. {RETIRED} CKEditor Integration
  2. CKEDITOR-508

Persistent XSS through CKEditor Configuration

    XMLWordPrintable

Details

    • Unknown
    • N/A
    • N/A

    Description

      Reproduction steps:

      • Log in as a standard user with edit rights
      • Edit CKEditor.Config
      • In the Advanced Configuration field, add some javascript code (e.g., console.log('ckeditor'))
      • With any user, edit a page

      Expected result

      • User cannot edit CKEditor.Config without Programming rights

      Actual result

      • Unprivileged users are able to inject javascript for any user editing using CKEditor

      Note 1:  It might also be possible to do the same by editing the default value of CKEditor.ConfigClass or by adding an XObject of this class when CKEditor.Config is missing

      Note 2: The affect version needs to be updated, 14.10 is just a placeholder

      Other things:

      • CKEditor.ConfigSheet must be protected as well, otherwise there is a risk that some dangerous javascript is defined before and admin configures ckedior and copy a bad sheet
      • The same is true for CKEditor.ConfigTemplate and CKEditor.AdminSection

      Attachments

        Issue Links

          relates to

          Security - Security bug with confidential level XWIKI-20590 Persistent XSS through CKEditor Configuration

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed
          links to

          Web Link GitHub Security Advisory

          Activity

            People

              mleduc Manuel Leduc
              mleduc Manuel Leduc
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: