USN-7258-1: CKEditor vulnerabilities
6 February 2025
Several security issues were fixed in CKEditor.
Releases
Packages
- ckeditor - Text editor which can be embedded into web pages
Details
Kevin Backhouse discovered that CKEditor did not properly sanitize HTML
content. An attacker could possibly use this issue to perform cross site
scripting and obtain sensitive information. This issue only affected
Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.
(CVE-2022-24728)
It was discovered that CKEditor did not properly handle the creation of
editor instances in the Iframe Dialog and Media Embed packages. An
attacker could possibly use this issue to perform cross site scripting
and obtain sensitive information. This issue only affected
Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.
(CVE-2023-28439)
It was discovered that CKEditor did not properly handle parsing HTML
content. An attacker could possibly use this issue to perform cross site
scripting and obtain sensitive information.
(CVE-2024-24815, CVE-2024-24816)
It was discovered that CKEditor did not properly sanitize version
notifications. An attacker could possibly use this issue to perform cross
site scripting and obtain sensitive information. This issue only affected
Ubuntu 24.04 LTS and Ubuntu 24.10. (CVE-2024-43411)
Update instructions
The problem can be corrected by updating your system to the following package versions:
Ubuntu 24.10
Ubuntu 24.04
-
ckeditor
-
4.22.1+dfsg1-2ubuntu0.24.04.1~esm1
Available with Ubuntu Pro
Ubuntu 22.04
-
ckeditor
-
4.16.2+dfsg-1ubuntu0.1~esm1
Available with Ubuntu Pro
Ubuntu 20.04
-
ckeditor
-
4.12.1+dfsg-1ubuntu0.1+esm1
Available with Ubuntu Pro
Ubuntu 18.04
-
ckeditor
-
4.5.7+dfsg-2ubuntu0.18.04.1+esm1
Available with Ubuntu Pro
Ubuntu 16.04
-
ckeditor
-
4.5.7+dfsg-2ubuntu0.16.04.1~esm2
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.