ckeditor version 4.7.1 in Pega 23.1

Arvind · February 23, 2025, 5:25am

Hi

We are in Pega 23 and recent scan revealed Pega is using ckeditor version 4.7.1, which has below vulnerabilities. How do I resolve this?

XSS if the enhanced image plugin is installed
https://ckeditor.com/blog/CKEditor-4.9.2-with-a-security-patch-released/
https://ckeditor.com/cke4/release-notes
XSS vulnerability in the HTML parser
https://ckeditor.com/blog/CKEditor-4.11-with-emoji-dropdown-and-auto-link-on-typing-released/
https://snyk.io/vuln/SNYK-JS-CKEDITOR-72618
XSS-type attack inside CKEditor 4 by persuading a victim to paste a specially crafted HTML code into the Color Button dialog
https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-4151
XSS
https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-414
ReDoS vulnerability in Autolink plugin and Advanced Tab for Dialogs plugin
https://ckeditor.com/cke4/release/CKEditor-4.16.0
CVE-2021-32809: XSS vulnerability in the Clipboard plugin
CVE-2021-32808: XSS vulnerability in the Widget plugin
CVE-2021-37695: XSS vulnerability in the Fake Objects plugin
CVE-2021-41164, CVE-2021-41165: XSS vulnerabilities in the core module
CVE-2022-24728: Inject malformed URL to bypass content sanitization for XSS

MarijeSchillern · March 10, 2025, 2:44pm

@Arvind I see that you logged the same question with our GCS team on the 23rd February under INC-C8092 (CKEditor 4.7.1 has security vulnerabilities in Pega 23 )

The solution provided was:

Solution type description:

The vulnerabilities marked for CKEditor 4.7.1 do not impact the Pega platform since we use our custom wrapper code to mitigate the vulnerabilities of CKEditor plugins.

The detailed notes are provided below:

Out of the vulnerabilities listed for the version 4.7.1, only one is relevant to us- “CKEditor 4.x before 4.11.0 allows user assisted XSS involving a source mode paste”. The other vulnerabilities are due to the Enhanced Image plugin and Preview Plugin which we don’t use or include in the platform. We have handled this vulnerability via the JSoupParser Utility in the platform which cleans the RTE content of script tags in the iFrames and attributes like On error, on change using which JS can be injected. This doesn’t throw any error or give any warning if it encounters any such script or an attribute, it simply removes such script and attributes. We have also adopted the DOMPurify plugin for CKEditor to further help sanitize the RTE content.

Conversation		Replies	Views
CKEditor version for pega 8.7.4 User Experience user-experience , updates , installation-and-deployment , 8-7-4	2	439	April 12, 2024
CKEditor -XSS Injection Security Issue in pega 8.8.3 Pega-as-a-Service pega-platform , senior-system-architect , solutions-consultant , devops , testing-applications , other-industry , 8-8-3	1	83	February 20, 2025
Jquery and ckeditor library versions in 8.7 User Experience user-experience , security , system-administration , installation-and-deployment , 8-7-3	6	561	October 28, 2022
CVEs & pega platform 7.4 General security , 7-4	1	206	March 21, 2022
Pega Platform is affected by Cross Site Scripting (XSS) via the ConnectionID parameter : CVE-2020-23957 General pega-platform , lead-system-architect , security	1	557	June 1, 2022

ckeditor version 4.7.1 in Pega 23.1

Related topics