0

CyberSecurity - Maven CKEditor 4.7.0 for ZK9.6.0.2

asked 2022-07-27 23:29:11 +0800

vjulien gravatar image vjulien
1 1

Hi,

I have some concern about the latest ZK version (9.6.0.2) that has been flagged in an cybersecurity audit.

The version of CKEditor that is actually used by ZKOSS (4.7.0) has many flaws in terms of cybersecurity: We detected ckeditor version 4.7.0, which has the following vulnerabilities: • CVE-2021-32809: XSS Clipboard plugin • CVE-2021-32808: XSS Widget plugin • CVE-2021-37695: XSS Fake Objects plugin • CVE-2021-41164, CVE-2021-41165: XSS vulnerabilities module • CVE-2022-24728: Inject malformed URL

ZKOSS PATH: /zkau/web/_zv4.7.0.0/js/ckez.wpd

Are you planning on updating that version soon, is there some alternative for me to bypass if no action are going to be taken on your side?

Sincerly

Vincent J.

delete flag offensive retag edit

2 Answers

Sort by » oldest newest most voted
0

answered 2022-07-28 09:35:03 +0800

jeanher gravatar image jeanher
1824 2 6
ZK Team

The latest ZK CKEditor is 4.18.0.0, which is based on CKEditor 4.18.0 and should have already fixed/patched these security issues.

If you use this add-on, update your maven pom file version string to 4.18.0.0; or download the jar file manually here: https://github.com/zkoss/zkckeditor/releases/tag/v4.18.0.0

link publish delete flag offensive edit
0

answered 2022-07-28 23:46:27 +0800

vjulien gravatar image vjulien
1 1

Hi, thank you for the feedback, I will try your solution, here were my dependencies.

As i cannot insert xml (Pom.xml) here is plaintext:

Dependency; artifact; version org.zkoss.calendar; calendar; 2.1.6.FL.20161111 org.zkoss.zk; zkplus-legacy; 9.6.0.2 org.zkoss.zk; zkplus; 9.6.0.2 org.zkoss.common; zcommon; 9.6.0.2 org.zkoss.zk; zhtml; 9.6.0.2 org.zkoss.zk; zkbind; 9.6.0.2 org.zkoss.zk; zul; 9.6.0.2 org.zkoss.zk; zk; 9.6.0.2

link publish delete flag offensive edit
Your answer
Please start posting your answer anonymously - your answer will be saved within the current session and published after you log in or create a new account. Please try to give a substantial answer, for discussions, please use comments and please do remember to vote (after you log in)!

[hide preview]

Question tools

Follow

RSS

Stats

Asked: 2022-07-27 23:29:11 +0800

Seen: 3 times

Last updated: Jul 28

Support Options
  • Email Support
  • Training
  • Consulting
  • Outsourcing
Learn More