CIVI-SA-2021-09: CKEditor (Multiple Advisories)

Published
2021-08-17 12:00
Written by

CiviCRM includes a rich text editing component, CKEditor, which recently released a security update (v4.16.2). This update addresses 3 security issues.

We expect that these vulnerabilities cannot be meaningfully exploited by automated bots or crawlers - but they may be exploitable with modest social-engineering. Thus, we advise upgrading (or using one of the alternative solutions below).

Security Risk
Moderately Critical
Vulnerability
Cross Site Scripting
Other
Affected Versions

CiviCRM 5.40.1 and earlier

Fixed Versions

CiviCRM version 5.40.2 and ESR version 5.39.2

Publication Date
Solutions

The recommended solution is:

  • Upgrade to CiviCRM v5.40.2+ or v5.39.2+ (ESR)

If you need a short-term alternative, any ONE of the following will mitigate the vulnerability:

  • Perform a temporary upgrade to CKEditor v4.16.2+

  • Switch to CKEditor v5.x
    • Install the "CKEditor 5" extension (https://civicrm.org/extensions/ckeditor-5; also available for in-app download)
    • Navigate to "Administer => Customize Data and Screens => Display Preferences"
    • Change the "Wysiwig Editor" to CKEditor 5
  • Disable CKEditor
    • Navigate to "Administer => Customize Data and Screens => Display Preferences"
    • Change "Wysiwig Editor" to "Textarea"
  • Refrain from pasting third-party content into CKEditor

 

Credits

Anton Subbotin, Mika Kulmala, and the CKEditor team for identifying and fixing the vulnerabilities.

Jude Hungerford, Seamus Lee, and the CiviCRM security team for referring/porting to CiviCRM.

CVE
CVE-2021-32809