WYSIWYG Editor vulnerable Checkmarx discovers vulnerability in CKEditor 4
Application security testing specialist Checkmarx has identified a vulnerability in CKEditor 4. The WYSIWYG editor is mainly used for websites, web frameworks and content management systems such as Drupal or backdrop.
Company on topic
Checkmarx has discovered a vulnerability in CKEditor 4.
The vulnerability is a stored cross-site scripting (XSS) vulnerability. It affects the edit mode of CKEditor 4. If the vulnerability is successfully exploited, attackers can execute arbitrary web scripts. Possible consequences include the acquisition of accounts, the theft of credentials or access to sensitive data.
Checkmarx has informed the maintainers of CKEditor 4 about the vulnerability. It was not initially classified as security-relevant, but was nevertheless fixed by the release of 4.16.1. Drupal and django-ckeditor also responded after contacting us and implemented the fixed release. Checkmarx also had the vulnerability recorded by MITRE as CVE (“Common Vulnerabilities and Exposures”) under the ID CVE-2021-33829 in order to reach all users of CKEditor 4. The risk of the vulnerability is classified as “medium”.
Gap not effectively fixed
The XSS vulnerability has been known since June 2020 and was released as CVE-2020-9281 at the time. According to Checkmarx, the cause was in the HTML data processor, which does not clean payloads with the reserved keyword “ck_protected”. This keyword is usually only used internally by CKEditor 4 developers. It is an HTML comment whose content is encrypted.
At that time, the solution of the developers was to remove instances of such a comment before parsing. In this way, it should be ensured that no infiltration from external sources is possible. However, the keyword is only removed once-this caused nested comments (e.g., “keykeywordword” becomes “keyword”) to continue to come through. Attackers were still able to exploit the vulnerability, which was believed to have been fixed.
A detailed analysis of the vulnerability can be found on the Checkmarx website.