-
ckeditor (4.12.1+dfsg-1ubuntu0.1) focal-security; urgency=medium
* SECURITY UPDATE: code injection in HTML data processor
- debian/patches/CVE-2021-33829.patch: treat --!> as a valid comment
end tag in core/htmlparser.js
- CVE-2021-33289
- CVE-2020-9281
* SECURITY UPDATE: HTML injection in clipboard plugin
- debian/patches/CVE-2021-32809.patch: clean unwanted characters and
tags from clipboard data in plugins/clipboard/plugin.js
- CVE-2021-32809
* SECURITY UPDATE: code injection through fake objects.
- debian/patches/CVE-2021-37695.patch: perform filtering over the
content used to restore real element in fakeobjects/plugin.js.
- CVE-2021-37695
-- David Fernandez Gonzalez <email address hidden> Fri, 18 Mar 2022 11:27:31 +0100
-
ckeditor (4.12.1+dfsg-1) unstable; urgency=medium
* New upstream release: fixes data lost during copy paste from
MS word.
* Use builddir for buildding tree instead of manual patching
* Bump policy and debhelper version
-- Bastien Roucariès <email address hidden> Tue, 03 Sep 2019 21:54:24 +0200
-
ckeditor (4.11.1+dfsg-1) unstable; urgency=high
* Security release:
Fixed XSS vulnerability in the HTML parser reported by maxarr.
Issue summary: It was possible to execute XSS inside CKEditor
after persuading the victim to:
(i) switch CKEditor to source mode, then
(ii) paste a specially crafted HTML code, prepared by the attacker,
into the opened CKEditor source area, and
(iii) switch back to WYSIWYG mode.
* Fix minors WYSIWYG mode issues.
-- Bastien Roucariès <email address hidden> Wed, 14 Nov 2018 16:04:19 +0100
