VRB News
Virtual Reality Brisbane
  • Home
  • About us
  • IT news
  • Tech
  • World
  • Contact
No Result
View All Result
  • Home
  • About us
  • IT news
  • Tech
  • World
  • Contact
No Result
View All Result
No Result
View All Result
Home IT news

Checkmarx detects vulnerability in CKEditor 4

admin by admin
June 30, 2021
in IT news
0
DevOps underestimated at universities
0
SHARES
35
VIEWS
Share on FacebookShare on Twitter

WYSIWYG Editor vulnerable Checkmarx discovers vulnerability in CKEditor 4

Application security testing specialist Checkmarx has identified a vulnerability in CKEditor 4. The WYSIWYG editor is mainly used for websites, web frameworks and content management systems such as Drupal or backdrop.

Company on topic

Checkmarx has discovered a vulnerability in CKEditor 4.Checkmarx has discovered a vulnerability in CKEditor 4.

(Picture: Checkmarx)

The vulnerability is a stored cross-site scripting (XSS) vulnerability. It affects the edit mode of CKEditor 4. If the vulnerability is successfully exploited, attackers can execute arbitrary web scripts. Possible consequences include the acquisition of accounts, the theft of credentials or access to sensitive data.

Checkmarx has informed the maintainers of CKEditor 4 about the vulnerability. It was not initially classified as security-relevant, but was nevertheless fixed by the release of 4.16.1. Drupal and django-ckeditor also responded after contacting us and implemented the fixed release. Checkmarx also had the vulnerability recorded by MITRE as CVE (“Common Vulnerabilities and Exposures”) under the ID CVE-2021-33829 in order to reach all users of CKEditor 4. The risk of the vulnerability is classified as “medium”.

Gap not effectively fixed

The XSS vulnerability has been known since June 2020 and was released as CVE-2020-9281 at the time. According to Checkmarx, the cause was in the HTML data processor, which does not clean payloads with the reserved keyword “ck_protected”. This keyword is usually only used internally by CKEditor 4 developers. It is an HTML comment whose content is encrypted.

At that time, the solution of the developers was to remove instances of such a comment before parsing. In this way, it should be ensured that no infiltration from external sources is possible. However, the keyword is only removed once-this caused nested comments (e.g., “keykeywordword” becomes “keyword”) to continue to come through. Attackers were still able to exploit the vulnerability, which was believed to have been fixed.

A detailed analysis of the vulnerability can be found on the Checkmarx website.

(ID:47481997)

Previous Post

VR stadiums — the future of esports?

Next Post

Vcluster v0. 3 passes Kubernetes compliance tests

admin

admin

Related Posts

What are the advantages of software development by a dedicated team and by outsourcing
IT news

What are the advantages of software development by a dedicated team and by outsourcing?

March 20, 2023
Samsung reveals how the Galaxy Watch takes care of your sleep
IT news

Samsung reveals how the Galaxy Watch takes care of your sleep

March 20, 2023
Pallet offers with cheap electronics are mostly fake
IT news

Pallet offers with cheap electronics are mostly fake

March 14, 2023
Bill Gates was so addicted to Minesweepers, they had to cheat to stop him
IT news

Bill Gates was so addicted to Minesweepers, they had to cheat to stop him

March 14, 2023
Cashback Services
IT news

Top Cashback Services

March 13, 2023
Next Post
Vcluster v0. 3 passes Kubernetes compliance tests

Vcluster v0. 3 passes Kubernetes compliance tests

Premium Content

PHP was ist das? PHP grundlagen für dummies und einsteiger

What is PHP 》PHP explains for beginners with practical tips

January 28, 2022
E-commerce is indispensable for Danish companies

E-commerce is indispensable for Danish companies

December 24, 2021
The robot-lawyers arrive

The robot-lawyers arrive

December 4, 2021

Browse by Category

  • Games
  • IT news
  • Tech
  • World

VRB News is ready to cooperate with webmasters and content creators. Send an email to info@virtualrealitybrisbane.com

Categories

  • Games
  • IT news
  • Tech
  • World

Recent Posts

  • What are the advantages of software development by a dedicated team and by outsourcing?
  • Samsung reveals how the Galaxy Watch takes care of your sleep
  • Pallet offers with cheap electronics are mostly fake

© 2021 - The project has been developed ServReality

No Result
View All Result
  • Home
  • About us
  • IT news
  • Tech
  • World
  • Contact

© 2021 - The project has been developed ServReality

Are you sure want to unlock this post?
Unlock left : 0
Are you sure want to cancel subscription?