Ckeditor5 core issue
While running the security scan we came across the below vulnerability issue in /web/core/scripts/js/ckeditor5-check-plugins.js [execSync()] - line 33
The method lambda() in ckeditor5-checkplugins.js calls execSync() to execute a command. This call might allow an attacker to inject malicious commands. Command injection vulnerabilities take two forms:
- An attacker can change the command that the program executes: the attacker explicitly controls what the command is.
- An attacker can change the environment in which the command executes: the attacker implicitly controls what the command means.
I have applied the attached patch referring to https://github.com/facebook/create-react-app/pull/12590. But I still need some assistance if there is an available solution which I couldn't find or if this solution cause any issues in future.
Please assist on the above.
Active
10.1 ✨
Last updated
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.
When you created this issue, you were given the following warning:
Security issues should not be reported here. Follow the procedure for reporting security issues.
I am unpublishing this issue as it did not follow the security reporting process. I do not believe there is a vulnerability here, but the process must still be followed to report security issues.