Problem: Security has flagged us for using a CKEditor version with XSS security vulnerability.
Proposed Solution: Update CKEditor version to v4.11.0
Question for Pega: Currently we are using Pega Version 8.7.4. I believe the ckeditor version is tied to the pega version. I think the CKEditor version for 8.7.4 is using v4.7.1. I believe the updated ckeditor version v.4.11.0 is installed in Pega version 8.7.5. Can I get the ckeditor version for each Pega release?
@PhuongN7 please see the post Jquery and ckeditor library versions in 8.7 for more details on how ckeditor versions are implemented in Pega.
Currently the vulnerabilities marked for CKEditor 4.7.1 do not impact the Pega platform since we use our custom wrapper code to mitigate the vulnerabilities of CKEditor plugins.
Out of the vulnerabilities for the version 4.7.1, only one is relevant to Pega - “CKEditor 4.x before 4.11.0 allows user assisted XSS involving a source mode paste”. (CVE-2018-17960)
We have handled this vulnerability via the JSoupParser Utility in the platform which cleans the RTE content of script tags in the Iframes and attributes like On error, on change using which JS can be injected. This does not throw any error or give any warning if it encounters any such script or an attribute, it simply removes such script and attributes.
Any other vulnerabilities are due to the Enhanced Image plugin and Preview Plugin which we don’t use or include in the platform.
@MarijeSchillern - Is it possible to tell in which version of the Pega Platform the CKEditor wrapper was introduced?