Hi all,
The current version of CKEditorReactive, used in OutSystems applications and based on CKEditor 4.24.1-LTS, still contains known security vulnerabilities that have already been mitigated in the newer CKEditor 4.25.0-LTS release.
Specifically, CKEditor versions before 4.25.0-LTS are affected by publicly documented Cross-Site Scripting (XSS) vulnerabilities, including:
XSS vulnerability in the Code Snippet plugin, caused by the dependency on the GeSHi library, which is no longer maintained and is considered insecure. This dependency was completely removed in CKEditor 4.25.0-LTS, eliminating this attack vector.
A theoretical XSS vulnerability related to the version notification mechanism, which could be exploited in an improbable scenario involving the takeover of an external domain. In CKEditor 4.25.0-LTS, this feature was disabled by default and further hardened, aligning the editor with security best practices.
Although some of these vulnerabilities are classified as low to medium risk, they can still be relevant in enterprise environments, internet-facing applications, or scenarios with strict security and compliance requirements (e.g., ISO 27001, OWASP, security audits).
Upgrading CKEditorReactive to a base version equal to or higher than CKEditor 4.25.0-LTS would:
Remove known XSS vulnerabilities,
Reduce the overall attack surface,
Align the component with the latest officially supported LTS release of CKEditor 4.
This is a suggestion for consideration in future versions of the component, in order to improve the security posture of OutSystems applications relying on CKEditorReactive.
Reference: https://ckeditor.com/cke4/release/CKEditor-4.25.0-LTS
Thank you.
To help future readers who may have questions about this topic, I’m sharing below the outcome of my investigation regarding the current scenario:
The current version of this component, 1.1.2, published on 11-07-2024, corresponds to the latest available release, in which mitigation measures for the security vulnerabilities identified in CKEditor versions before 4.24.0 have already been implemented.
However, starting from version 4.24.0, this library became subject to commercial licensing terms, requiring the acquisition of an Extended Support Model (ESM) contract, which is not intended in the current context.
Therefore, to continue using a commercially open-source version, the current component version, as described in the official documentation, includes CKEditor 4.22.1 (30-06-2023) with security mitigation. In other words, although this is an older version, it already includes mitigations for the security issues identified in later versions.
Nevertheless, we confirmed that CKEditor 4.25.0 introduces additional security measures when compared to version 4.24.0, mainly:
Fixes for known XSS vulnerabilities
Removal of unsafe dependencies
We reviewed the changes introduced between versions 4.24.0 and 4.25.0 to understand how these additional security measures were addressed, based on the official reference: “CKEditor 4.25.0 LTS released with security patches | CKEditor”
The relevant changes are:
Complete removal of the GeSHi library, used by the Code Snippet plugin. → This plugin is not included in the component version in use and is therefore not applicable.
Low-impact vulnerability in CodeMirror, a plugin that exists only in examples/demos. → This does not affect production environments and is limited to the samples folder, which is not included in the component version, and is therefore not applicable.
Conclusion: Based on the analysis performed and considering the current usage context of the component, no additional mitigation actions are required, as the relevant security measures are already adequately addressed.
Thanks for your clarification.