CVE-2024-24815

We're seeing sites getting affected now.
Files appear in sites/default/files/js
$ find ./ -name "*wysiwyg_ckeditors*"
./sites/default/files/js/wysiwyg_ckeditors_uWMoMQ5qlhtyHc-FJlMT-azsAxhCeS89weKBiAtXujlM.js
/sites/default/files/js/wysiwyg_ckeditors_uWMoMQ7qlhtyf-cFJlMTazsAxhCeS88weKBiAtXujAQ.js

These files contain list of links to phishing sites.

1 site fully compromised, and another looking like its happening.

Disable or remove Ckeditor from being used immediately.

Is this issue mitigated by the fact that you must have access to the CKEditor (which is typically only limited to administrative users).

As a side note: Our staff reached out to CKSource team and were quoted a completely inaccessible and unrealistic price to purchase the LTE support for CKE4.

Organizations on a legacy Drupal project that do NOT have money to upgrade to Drupal 9 also do NOT have $10k per year per project to keep exploits out of their website. So in the end, we're recommending they disable CKEditor until they're able to migrate off. This is a really unfortunate circumstance.

I'm reading here:
https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-fq6h-4g8v...

It looks like this vulnerability only applies if you have "Full Page Editing" enabled? Or the Advanced Configuration re: CDATA? Can someone double check my math, etc? It seems like for most private D7 sites, where you only have a few admins, the general public never touches ckeditor... this doesn't apply?

Is there another module that provides the same functionality as Creditor for Drupal7? I am not using composer, just have been downloading new modules as required.

I'm looking at the security details here:
https://security.snyk.io/package/npm/ckeditor4/4.14.0

It looks like the issue is in this file specifically:
/core/htmlparser.js

On my D7 site, using ckeditor 7.x-1.22, I renamed the file like this, to disable it:
/sites/all/libraries/ckeditor/_source/core/htmlparser-suspect.js

Then I went back into the site and was able to edit / save / etc.

There was a reference to this file too:
/public_html/sites/all/libraries/ckeditor/_samples/ajax.html

I renamed it like this to be safe:
/public_html/sites/all/libraries/ckeditor/_samples/ajax-disable.html

In a few weeks I plan on removing these files altogether because they don't seem to be mission critical ^

Thanks,
-Nate

It looks like there are no alternatives. https://www.drupal.org/project/wysiwyg → is minimally maintained supporting Ckeditor4 and TinyMCE4 which are both out of support. I'm not even sure using a company for LTS or D7Security is an option since Ckeditor4 LTS is a paid solution.

Per that same CVE report:

The fix will be available in version 4.24.0-lts

Would it not be possible to pull that release into this module? I've got a situation where upgrading to Ckeditor5 causes breakage. I'd obviously like to get it upgraded and that issue resolved, but finding the time...

Would it not be possible to pull that release into this module? I've got a situation where upgrading to Ckeditor5 causes breakage on a D10 upgrade. I'd obviously like to get it upgraded and that issue resolved, but finding the time...

I think the issue is the 4.24.x-LTS is the "commercial" flavor of the plugin. So yes, you can use this. But most of us are sitting here scratching our heads over the "suddenly commercial" license and looking for alternatives.

I'm willing to denote some $$ if someone can create a non-commercial equivalent to Creditor, preferably with a simple module without the complicated plugin organization.

There is also this module https://www.drupal.org/project/ckeditor_lts → . Although you still need to pay CKeditor money for the long term support.

Ah, got it. I ended up migrating my sites to CK5, so it's kinda moot, but it's a PITA since the config isn't 1-to-1. :(

You mean this?
https://www.drupal.org/project/ckeditor5 →

It says it's not supported. You mean you updated the Drupal 7 sites to Drupal 9/10?