TYPO3-CORE-SA-2018-005: Cross-Site Scripting in CKEditor

Categories: Development Created by Oliver Hader
It has been discovered, that TYPO3 CMS is vulnerable to cross-site scripting.
  • Component Type: TYPO3 CMS
  • Vulnerable subcomponent: 3rd party JavaScript library CKEditor
  • Release Date: December 11, 2018
  • Vulnerability Type: Cross-Site Scripting
  • Affected Versions: 8.5.0 to 8.7.20 and 9.0.0 to 9.5.1
  • Severity: Low
  • Suggested CVSS v3.0: AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C
  • CVE: CVE-2018-17960

Problem Description

It has been discovered, that the third party library CKEditor is vulnerable to cross-site scripting. A valid backend user account is needed in order to exploit this vulnerability.

Details from CKEditor v4.11.0 release notes (affects TYPO3 v8 and v9) 
CKEditor 4.11 fixes an XSS vulnerability in the HTML parser reported by maxarr. The vulnerability stemmed from the fact that it was possible to execute XSS inside the CKEditor source area after persuading the victim to: (i) switch CKEditor to source mode, then (ii) paste a specially crafted HTML code, prepared by the attacker, into the opened CKEditor source area, and (iii) switch back to WYSIWYG mode. Although this is an unlikely scenario, we recommend to upgrade to the latest editor version.

Details from CKEditor v4.9.2 release notes (affects TYPO3 v8 only)
CKEditor 4.9.2 fixes an XSS vulnerability in the Enhanced Image (image2) plugin reported by Kyaw Min Thein. The vulnerability stemmed from the fact that it was possible to execute XSS inside CKEditor using the <img> tag and specially crafted HTML.

Solution

An official fix has been released with CKEditor version 4.11.0.
Update to TYPO3 versions 8.7.21 or 9.5.2 that fix the problem described.

Strong security defaults - Manual actions required

Per default TYPO3 uses the latest version of CKEditor v4.11.1 in order to apply strong security defaults. Concerning backward compatibility and possible side-effects it is possible to manually enable previous CKEditor v4.7.1 and its vulnerability again.

This can be done by assigning $GLOBALS['TYPO3_CONF_VARS']['EXT']['extConf']['rte_ckeditor'] = 'a:1:{s:15:"ckeditorVersion";s:6:"4.7";}' either modifying configuration of extension rte_ckeditor in Extension Manager or according deployment techniques.

This applies to TYPO3 v8 only.

Credits

Thanks to Peter Kraume who reported this issue and to TYPO3 core team member Benni Mack who fixed the issue.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note

All security related code changes are tagged so that you can easily look them up in our review system.