CiviCRM includes a rich text editing component, CKEditor, which recently released a security update (v4.16.2). This update addresses 3 security issues.
We expect that these vulnerabilities cannot be meaningfully exploited by automated bots or crawlers - but they may be exploitable with modest social-engineering. Thus, we advise upgrading (or using one of the alternative solutions below).
CiviCRM 5.40.1 and earlier
CiviCRM version 5.40.2 and ESR version 5.39.2
The recommended solution is:
- Upgrade to CiviCRM v5.40.2+ or v5.39.2+ (ESR)
If you need a short-term alternative, any ONE of the following will mitigate the vulnerability:
- Perform a temporary upgrade to CKEditor v4.16.2+
- Download CKEditor directly (https://github.com/ckeditor/ckeditor-releases/archive/4.16.2.zip)
- Extract "4.16.2.zip" and replace the folder "civicrm/bower_components/ckeditor/"
- Switch to CKEditor v5.x
- Install the "CKEditor 5" extension (https://civicrm.org/extensions/ckeditor-5; also available for in-app download)
- Navigate to "Administer => Customize Data and Screens => Display Preferences"
- Change the "Wysiwig Editor" to CKEditor 5
- Disable CKEditor
- Navigate to "Administer => Customize Data and Screens => Display Preferences"
- Change "Wysiwig Editor" to "Textarea"
- Refrain from pasting third-party content into CKEditor
Anton Subbotin, Mika Kulmala, and the CKEditor team for identifying and fixing the vulnerabilities.
Jude Hungerford, Seamus Lee, and the CiviCRM security team for referring/porting to CiviCRM.
