Bug 1569828 (CVE-2018-9861)

Summary: CVE-2018-9861 ckeditor: Cross-site scripting (XSS) vulnerability when using image2 plugin
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: hello, orion, shawn
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ckeditor 4.9.2, drupal8 8.4.7, drupal8 8.5.2 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-03-21 04:08:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1569829, 1569830    
Bug Blocks:    

Description Sam Fowler 2018-04-20 03:38:42 UTC
CKEditor versions 4.5.11 through 4.9.1 have a cross-site scripting (XSS) vulnerability when using the image2 plugin.

CKEditor bundled with Drupal 8 is fixed in versions 8.5.2 and 8.4.7.

The Drupal 7.x CKEditor version 1.18 is not vulnerable.


External References:

https://www.drupal.org/sa-core-2018-003


Upstream patch:

https://github.com/ckeditor/ckeditor-dev/commit/aab10e3d0ad6a11cfb4eab47f1c0353593dd4f00

Comment 1 Sam Fowler 2018-04-20 03:39:05 UTC
Created ckeditor tracking bugs for this issue:

Affects: fedora-all [bug 1569829]


Created drupal8 tracking bugs for this issue:

Affects: fedora-all [bug 1569830]

Comment 2 Shawn Iwinski 2019-03-21 03:32:02 UTC
All dependent bugs have been closed.  Can this tracking bug be closed?

Comment 3 Sam Fowler 2019-03-21 04:08:58 UTC
In reply to comment #2:
> All dependent bugs have been closed.  Can this tracking bug be closed?

Yep, closed.