Created on 16 February 2024, 10 months ago
Updated 2 July 2024, 6 months ago

Problem/Motivation

This module installs CKE 4.21.0 so it is vulnerable to CVE-2024-24815 .
I know this module is now unsupported and I don't expect a fix.

However, would it make sense to mark every release as insecure? (Similarly to what was done for the swiftmailer module: https://www.drupal.org/project/swiftmailer/releases โ†’ )
This would allow tools like composer audit to warn users that the module is not secure.

๐Ÿ“Œ Task
Status

Active

Version

1.0

Component

Miscellaneous

Created by

๐Ÿ‡ซ๐Ÿ‡ทFrance prudloff Lille

Live updates comments and jobs are added and updated live.
  • Security

    It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupalโ€™s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the โ€œReport a security vulnerabilityโ€ link in the project pageโ€™s sidebar. See how to report a security issue for details.

Sign in to follow issues

Comments & Activities

  • Issue created by @prudloff
  • ๐Ÿ‡ซ๐Ÿ‡ทFrance prudloff Lille
  • ๐Ÿ‡บ๐Ÿ‡ธUnited States markusa

    We're seeing sites getting affected now.
    Files appear in sites/default/files/js
    $ find ./ -name "*wysiwyg_ckeditors*"
    ./sites/default/files/js/wysiwyg_ckeditors_uWMoMQ5qlhtyHc-FJlMT-azsAxhCeS89weKBiAtXujlM.js
    /sites/default/files/js/wysiwyg_ckeditors_uWMoMQ7qlhtyf-cFJlMTazsAxhCeS88weKBiAtXujAQ.js

    These files contain list of links to phishing sites.

    1 site fully compromised, and another looking like its happening.

    Disable or remove Ckeditor from being used immediately.

  • ๐Ÿ‡ช๐Ÿ‡จEcuador jwilson3

    Is this issue mitigated by the fact that you must have access to the CKEditor (which is typically only limited to administrative users).

    As a side note: Our staff reached out to CKSource team and were quoted a completely inaccessible and unrealistic price to purchase the LTE support for CKE4.

    Organizations on a legacy Drupal project that do NOT have money to upgrade to Drupal 9 also do NOT have $10k per year per project to keep exploits out of their website. So in the end, we're recommending they disable CKEditor until they're able to migrate off. This is a really unfortunate circumstance.

  • ๐Ÿ‡บ๐Ÿ‡ธUnited States nate covington

    I'm reading here:
    https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-fq6h-4g8v...

    It looks like this vulnerability only applies if you have "Full Page Editing" enabled? Or the Advanced Configuration re: CDATA? Can someone double check my math, etc? It seems like for most private D7 sites, where you only have a few admins, the general public never touches ckeditor... this doesn't apply?

  • ๐Ÿ‡บ๐Ÿ‡ธUnited States Fred Herman

    Is there another module that provides the same functionality as Creditor for Drupal7? I am not using composer, just have been downloading new modules as required.

  • ๐Ÿ‡บ๐Ÿ‡ธUnited States nate covington

    I'm looking at the security details here:
    https://security.snyk.io/package/npm/ckeditor4/4.14.0

    It looks like the issue is in this file specifically:
    /core/htmlparser.js

    On my D7 site, using ckeditor 7.x-1.22, I renamed the file like this, to disable it:
    /sites/all/libraries/ckeditor/_source/core/htmlparser-suspect.js

    Then I went back into the site and was able to edit / save / etc.

    There was a reference to this file too:
    /public_html/sites/all/libraries/ckeditor/_samples/ajax.html

    I renamed it like this to be safe:
    /public_html/sites/all/libraries/ckeditor/_samples/ajax-disable.html

    In a few weeks I plan on removing these files altogether because they don't seem to be mission critical ^

    Thanks,
    -Nate

  • ๐Ÿ‡บ๐Ÿ‡ธUnited States sikofitt

    It looks like there are no alternatives. https://www.drupal.org/project/wysiwyg โ†’ is minimally maintained supporting Ckeditor4 and TinyMCE4 which are both out of support. I'm not even sure using a company for LTS or D7Security is an option since Ckeditor4 LTS is a paid solution.

  • ๐Ÿ‡บ๐Ÿ‡ธUnited States seanr

    Per that same CVE report:

    The fix will be available in version 4.24.0-lts

    Would it not be possible to pull that release into this module? I've got a situation where upgrading to Ckeditor5 causes breakage. I'd obviously like to get it upgraded and that issue resolved, but finding the time...

  • ๐Ÿ‡บ๐Ÿ‡ธUnited States nate covington

    Would it not be possible to pull that release into this module? I've got a situation where upgrading to Ckeditor5 causes breakage on a D10 upgrade. I'd obviously like to get it upgraded and that issue resolved, but finding the time...

    I think the issue is the 4.24.x-LTS is the "commercial" flavor of the plugin. So yes, you can use this. But most of us are sitting here scratching our heads over the "suddenly commercial" license and looking for alternatives.

  • ๐Ÿ‡บ๐Ÿ‡ธUnited States Fred Herman

    I'm willing to denote some $$ if someone can create a non-commercial equivalent to Creditor, preferably with a simple module without the complicated plugin organization.

  • ๐Ÿ‡บ๐Ÿ‡ธUnited States sikofitt

    There is also this module https://www.drupal.org/project/ckeditor_lts โ†’ . Although you still need to pay CKeditor money for the long term support.

  • ๐Ÿ‡บ๐Ÿ‡ธUnited States seanr

    Ah, got it. I ended up migrating my sites to CK5, so it's kinda moot, but it's a PITA since the config isn't 1-to-1. :(

  • ๐Ÿ‡บ๐Ÿ‡ธUnited States nate covington

    You mean this?
    https://www.drupal.org/project/ckeditor5 โ†’

    It says it's not supported. You mean you updated the Drupal 7 sites to Drupal 9/10?

Production build 0.71.5 2024