FEDORA-EPEL-2020-9190462510 created by siwinski 4 months ago for Fedora EPEL 6
stable

CKEditor 4.14

Security Updates:

  • CVE-2020-9281 Fixed XSS vulnerability in the HTML data processor reported by MichaƂ Bentkowski of Securitum.

    Issue summary: It was possible to execute XSS inside CKEditor after persuading the victim to: (i) switch CKEditor to source mode, then (ii) paste a specially crafted HTML code, prepared by the attacker, into the opened CKEditor source area, and (iii) switch back to WYSIWYG mode or (i) copy the specially crafted HTML code, prepared by the attacker and (ii) paste it into CKEditor in WYSIWYG mode.

  • CVE-2020-9440 Fixed XSS vulnerability in the WebSpellChecker Dialog plugin reported by Pham Van Khanh from Viettel Cyber Security.

    Issue summary: It was possible to execute XSS using CKEditor after persuading the victim to: (i) switch CKEditor to source mode, then (ii) paste a specially crafted HTML code, prepared by the attacker, into the opened CKEditor source area, then (iii) switch back to WYSIWYG mode, and (iv) preview CKEditor content outside CKEditor editable area.

An upgrade is highly recommended!

New features:

Fixed Issues:

  • #3587: [Edge, IE] Fixed: Widget with form input elements loses focus during typing.
  • #3705: [Safari] Fixed: Safari incorrectly removes blocks with the editor.extractSelectedHtml() method after selecting all content.
  • #1306: Fixed: The Font plugin creates nested HTML <span> tags when reapplying the same font multiple times.
  • #3498: Fixed: The editor throws an error during the copy operation when a widget is partially selected.
  • #2517: [Chrome, Firefox, Safari] Fixed: Inserting a new image when the selection partially covers an existing enhanced image widget throws an error.
  • #3007: [Chrome, Firefox, Safari] Fixed: Cannot modify the editor content once the selection is released over a widget.
  • #3698: Fixed: Cutting the selected text when a widget is partially selected merges paragraphs.

API Changes:

This update has been submitted for testing by siwinski.

4 months ago

This update's test gating status has been changed to 'waiting'.

4 months ago

This update's test gating status has been changed to 'ignored'.

4 months ago

This update has been pushed to testing.

4 months ago

This update's test gating status has been changed to 'greenwave_failed'.

3 months ago

This update's test gating status has been changed to 'ignored'.

3 months ago

This update can be pushed to stable now if the maintainer wishes

3 months ago

This update has been submitted for stable by bodhi.

3 months ago

This update has been pushed to stable.

3 months ago

Please login to add feedback.

Metadata
Type
security
Severity
high
Karma
0
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
3
Stable by Time
14 days
Dates
submitted
4 months ago
in testing
4 months ago
in stable
3 months ago
BZ#1810020 ckeditor-4.14.0 is available
0
0
BZ#1814826 CVE-2020-9281 ckeditor: XSS in the HTML Data Processor allows remote attackers to inject arbitrary web script through a crafted "protected" comment [fedora-all]
0
0
BZ#1814827 CVE-2020-9281 ckeditor: XSS in the HTML Data Processor allows remote attackers to inject arbitrary web script through a crafted "protected" comment [epel-all]
0
0

Automated Test Results