VRB News
Virtual Reality Brisbane
  • Home
  • About us
  • IT news
  • Tech
  • World
  • Contact
No Result
View All Result
  • Home
  • About us
  • IT news
  • Tech
  • World
  • Contact
No Result
View All Result
No Result
View All Result
Home IT news

Checkmarx detects vulnerability in CKEditor 4

admin by admin
June 30, 2021
in IT news
0
DevOps underestimated at universities
0
SHARES
51
VIEWS
Share on FacebookShare on Twitter

WYSIWYG Editor vulnerable Checkmarx discovers vulnerability in CKEditor 4

Application security testing specialist Checkmarx has identified a vulnerability in CKEditor 4. The WYSIWYG editor is mainly used for websites, web frameworks and content management systems such as Drupal or backdrop.

Company on topic

Checkmarx has discovered a vulnerability in CKEditor 4.Checkmarx has discovered a vulnerability in CKEditor 4.

(Picture: Checkmarx)

The vulnerability is a stored cross-site scripting (XSS) vulnerability. It affects the edit mode of CKEditor 4. If the vulnerability is successfully exploited, attackers can execute arbitrary web scripts. Possible consequences include the acquisition of accounts, the theft of credentials or access to sensitive data.

Checkmarx has informed the maintainers of CKEditor 4 about the vulnerability. It was not initially classified as security-relevant, but was nevertheless fixed by the release of 4.16.1. Drupal and django-ckeditor also responded after contacting us and implemented the fixed release. Checkmarx also had the vulnerability recorded by MITRE as CVE (“Common Vulnerabilities and Exposures”) under the ID CVE-2021-33829 in order to reach all users of CKEditor 4. The risk of the vulnerability is classified as “medium”.

Gap not effectively fixed

The XSS vulnerability has been known since June 2020 and was released as CVE-2020-9281 at the time. According to Checkmarx, the cause was in the HTML data processor, which does not clean payloads with the reserved keyword “ck_protected”. This keyword is usually only used internally by CKEditor 4 developers. It is an HTML comment whose content is encrypted.

At that time, the solution of the developers was to remove instances of such a comment before parsing. In this way, it should be ensured that no infiltration from external sources is possible. However, the keyword is only removed once-this caused nested comments (e.g., “keykeywordword” becomes “keyword”) to continue to come through. Attackers were still able to exploit the vulnerability, which was believed to have been fixed.

A detailed analysis of the vulnerability can be found on the Checkmarx website.

(ID:47481997)

Previous Post

VR stadiums — the future of esports?

 Next Post

Vcluster v0. 3 passes Kubernetes compliance tests
admin

admin

Related Posts

How to Grow a YouTube Channel with ScaleLab
IT news

How to Grow a YouTube Channel with ScaleLab: Effective Strategies for Creators

February 4, 2025
Sticker mockups
IT news

Sticker mockups: how to visualize your ideas professionally and efficiently

January 13, 2025
Ways to Get Free Senegal Proxies for Work and Surfing
IT news

Ways to Get Free Senegal Proxies for Work and Surfing

December 24, 2024
Crypto Betting Frontiers
IT news

Crypto Betting Frontiers: The 2025 Landscape

December 6, 2024
iGaming Marketing Trends for 2025
IT news

iGaming Marketing Trends for 2025: Adapting to a Rapidly Changing Landscape

December 5, 2024
Next Post
Vcluster v0. 3 passes Kubernetes compliance tests

Vcluster v0. 3 passes Kubernetes compliance tests

Premium Content

Qualcomm shows reference design for mobile connected PC viewers

March 10, 2022
Kowlan: artificial intelligence and innovation to detect faults

Kowlan: artificial intelligence and innovation to detect faults

January 1, 2022
SteamVR update 1.11: new features and performance improvements

SteamVR update 1.11: new features and performance improvements

August 18, 2020

Browse by Category

  • Games
  • IT news
  • Tech
  • World

VRB News is ready to cooperate with webmasters and content creators. Send an email to info@virtualrealitybrisbane.com

Categories

  • Games
  • IT news
  • Tech
  • World

Recent Posts

  • How to Grow a YouTube Channel with ScaleLab: Effective Strategies for Creators
  • Sticker mockups: how to visualize your ideas professionally and efficiently
  • Ways to Get Free Senegal Proxies for Work and Surfing

© 2023 - The project has been developed ServReality

No Result
View All Result
  • Home
  • About us
  • IT news
  • Tech
  • World
  • Contact

© 2023 - The project has been developed ServReality

Are you sure want to unlock this post?
Unlock left : 0
Are you sure want to cancel subscription?