CKE Editor warning 4.22.1 version not secure

Help / Discuss
1

Hello,

suddenly a warning from CKEditor pops directly into the Editor Textarea, that the used CKE Version is not secure.
As far as im aware CKE 4.24.0-lts can not be integrated as it is a paid/commercial lts version.

So how to suppress this warning?
CEKWarning

Edit: from the changelog of CKE:
Release notes | CKEditor.com
" :warning: Please note that this release is a part of CKEditor 4 Extended Support Model, only available to customers who decided to acquire the LTS (Long Term Support) version of the editor. All editor versions below 4.24.0-lts can no longer be considered as secure! :warning:"

2 Likes
2

Thanks for the warning @TomTheWise, looks like it started today, and it seems to show up on a pretty wide range of XWiki versions…

We need to see how we are going to handle that, starting with understand if XWiki really is impacted by those vulnerabilities (seems to be mostly about Cross-site scripting (XSS) vulnerability caused by incorrect CDATA detection · Advisory · ckeditor/ckeditor4 · GitHub). It’s not really my area of expertise, but we should have the answer quickly.

3

Thanks, just confirmed on our instance too :open_mouth:

I hope CKE allows the check to be be disabled somewehere.

4

Hello all,

apparently the check of the version of the editor is a new configuration option, described here Class Config (CKEDITOR.config) | CKEditor 4 API docs .

It was added in CKEditor version 4.22.0; XWiki upgraded to CKEditor 4.22.1 in this ticket Loading... .

From what I tested and from what I understand from the ckeditor configuration, the check itself can be disabled by adding:

config.versionCheck = false;

in the CKEditor configuration in XWiki in the administration in the advanced section of the editor configuration: https://extensions.xwiki.org/xwiki/bin/view/Extension/CKEditor%20Integration/#HAdministrationSection .

This will disable the warning because it will prevent the editor from checking its own version, but it will not fix the version of the editor in any way.

Hope this helps,
Anca

7 Likes
5

Wow, thanks. That was really quick!

Of course, but my users would have no way to fix this on their own, so there’s no real point in having them to see the warning.

1 Like
6

FTR @mflorea has found why this warning started to be displayed yesterday:

The HTTP request to https://cke4.ckeditor.com/ckeditor4-secure-version/versions.json?v=4.22.1 was failing before yesterday, because it was cross domain and cke4.ckeditor.com didn’t provide the right CORS HTTP headers. CKSource decided to “fix” this yesterday, thus enabling the warning. I can clearly see

access-control-allow-origin: *

in the response headers.

1 Like
7

It’s now been fixed in Loading...

1 Like
8

Where (on linux) to find the config-file.
Which config file? There are many.

9

Not sure why you mention a configuration file. You might want to look at the previous message from @lucaa.

10

Thank you very much!
It seems to be necessary to change the configuration in every Sub-Wiki, not only in the Main-Wiki.

11

It’s within the XWiki-Administration page (for every Sub-Wiki separately). Look at WYSIWYG Editor Section an Advanced Configurations…

12

Yes, but it should be possible to write a script that updates the config (CKEditor.Config page) in all wikis.

13

@gdelhumeau was kind to publish a snippet with the Groovy code he used to update the CKEditor configuration on all (sub)wikis from an XWiki instance he’s managing. See https://snippets.xwiki.org/xwiki/bin/view/Extension/Update%20CKEditor%20configuration%20on%20all%20wikis/ .

Thanks,
Marius

1 Like
14

I also wanted to mention that we’ve analyzed the 3 security issues fixed by CKEditor in their private version 4.24.0 and they don’t affect XWiki.

2 Likes
15

Just out of curiosity, is there an plan on a timeline to when to decide on the new editor?
I just checked the page you guys made, WOW a lot of new informmation since I last saw that page in in november.

16

No precise timeline yet. The exploration is being done in the context of Cristal. For the selection, I’d say mid of the year but the implement will take time. Maybe have a first version before the end of the year.

See https://design.xwiki.org/xwiki/bin/view/Proposal/RichEditorRealtimeEditing for the work that was started.

17

Hello, everyone! Thank you for this post! I see that this topic is considered solved and the solution is to disable the warning. @vmassol pointed out that XWiki is not affected. I was wondering, @vmassol, can you give some more details on why XWiki is not affected? From the GitHub Advisory alone, it’s not clear to me why XWiki wouldn’t be affected. And apparently that’s not the only vulnerability found so far, right? Thanks. I’m just worried about security, it feels weird to simply suppress a security warning without understanding better what is going on.

Thank you so much for XWiki, it is great!

1 Like
18

Hello. We reviewed the 3 advisories and found that XWiki was not affected (we don’t write reviews of our analyses so I can’t provide that to you). Please tell us precisely why you think XWiki could be affected and we could have another look. If your analysis contains security-related content, please send the info to the security mailing list (see https://dev.xwiki.org/xwiki/bin/view/Community/Discuss#HMailingLists), rather than here which is public :slight_smile:

Thanks a lot!