Описание
It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted URL-like text into the editor, and then press Enter or Space (in the Autolink plugin).
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| ckeditor | fixed | 4.16.0+dfsg-1 | package | |
| ckeditor | no-dsa | buster | package | |
| ckeditor | postponed | stretch | package | |
| ckeditor3 | not-affected | package |
Примечания
https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-416
https://github.com/ckeditor/ckeditor4/commit/467cc95b666d65ba9dc84c05dd760a00395a353a (4.16.0)
Связанные уязвимости
It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted URL-like text into the editor, and then press Enter or Space (in the Autolink plugin).
It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted URL-like text into the editor, and then press Enter or Space (in the Autolink plugin).
Inclusion of Functionality from Untrusted Control Sphere in CKEditor 4
Уязвимость плагина Autolink WYSIWYG-редактора CKEditor , связанная с включением функций из недостоверной контролируемой области, позволяющая нарушителю вызвать отказ в обслуживании