ckeditor version 4.7.1 in Pega 23.1
Hi
We are in Pega 23 and recent scan revealed Pega is using ckeditor version 4.7.1, which has below vulnerabilities. How do I resolve this?
Hi
We are in Pega 23 and recent scan revealed Pega is using ckeditor version 4.7.1, which has below vulnerabilities. How do I resolve this?
XSS if the enhanced image plugin is installed https://ckeditor.com/blog/CKEditor-4.9.2-with-a-security-patch-released/ https://ckeditor.com/cke4/release-notes XSS vulnerability in the HTML parser https://ckeditor.com/blog/CKEditor-4.11-with-emoji-dropdown-and-auto-link-on-typing-released/ https://snyk.io/vuln/SNYK-JS-CKEDITOR-72618 XSS-type attack inside CKEditor 4 by persuading a victim to paste a specially crafted HTML code into the Color Button dialog https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-4151 XSS https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-414 ReDoS vulnerability in Autolink plugin and Advanced Tab for Dialogs plugin https://ckeditor.com/cke4/release/CKEditor-4.16.0 CVE-2021-32809: XSS vulnerability in the Clipboard plugin CVE-2021-32808: XSS vulnerability in the Widget plugin CVE-2021-37695: XSS vulnerability in the Fake Objects plugin CVE-2021-41164, CVE-2021-41165: XSS vulnerabilities in the core module CVE-2022-24728: Inject malformed URL to bypass content sanitization for XSS
Accepted Solution
Pegasystems Inc.
GB
@Arvind I see that you logged the same question with our GCS team on the 23rd February under INC-C8092 (CKEditor 4.7.1 has security vulnerabilities in Pega 23 )
The solution provided was:
-------------------------------------------
Solution type description:
The vulnerabilities marked for CKEditor 4.7.1 do not impact the Pega platform since we use our custom wrapper code to mitigate the vulnerabilities of CKEditor plugins. The detailed notes are provided below:
Out of the vulnerabilities listed for the version 4.7.1, only one is relevant to us- “CKEditor 4.x before 4.11.0 allows user assisted XSS involving a source mode paste”. The other vulnerabilities are due to the Enhanced Image plugin and Preview Plugin which we don’t use or include in the platform. We have handled this vulnerability via the JSoupParser Utility in the platform which cleans the RTE content of script tags in the iFrames and attributes like On error, on change using which JS can be injected. This doesn't throw any error or give any warning if it encounters any such script or an attribute, it simply removes such script and attributes. We have also adopted the DOMPurify plugin for CKEditor to further help sanitize the RTE content.
-------------------------------------