KCFinder provides a file-management dialog for CKEditor 4. It included two vulnerabilities:
- It allowed a "reflected" cross-site scripting (XSS) attack.
- It bypassed a CiviCRM policy option which limits file-uploads. (This bypass was still subject to other restrictions. The likely impact is to allow a "stored" XSS attack. However, it is possible for there to be other impacts.)
CiviCRM version 5.64.3 and earlier
CiviCRM version 5.64.4, 5.65.0 and 5.63.4 (ESR)
Upgrade to the fixed version of CiviCRM
Dennis Brinkrolf of RIPS Technologies / Cure53 / Mozilla Open Source Support (MOSS).
Seamus Lee of JMA Consulting/CiviCRM.
Tim Otten of CiviCRM.