Security Vulnerability on Xibo 2.3.8 found

Running Greenbone security analyzer it shows that Xibo is vulnerable to ReDoS vulnerabilities. It says to update the version of CKEditor but im not sure how to go about that in Docker. I am running on CentOS 6 with Xibo 2.3.8 installed.

Summary

CKEditor is prone to multiple regular expression denial of service (ReDoS) vulnerabilities.

Detection Result

Installed version: 4.3 Fixed version: 4.16 Installation path / port: /dist/vendor/ckeditor

Insight

The following vulnerabilities exist: - ReDoS in the Advanced Tab for Dialogs plugin (CVE-2021-26271) - ReDoS in the Autolink plugin (CVE-2021-26272)

Detection Method

Checks if a vulnerable version is present on the target host.

Affected Software/OS

CKEditor versions 4.0 - 4.15.1.

Impact

Solution

Solution Type:

Vendorfix

Update to version 4.16 or later

References

Thank you very much eatyourpeas747 for creating this post and passing on the details. An internal ticket has been logged to investigate this further.

Many Thanks.

We’ve confirmed that we do not use either of the two plugins mentioned in the CVE’s listed.

ckeditor 4.16 has some compatibility issues with Xibo and therefore we can’t upgrade - however we will re-target the bug to 3.1 and look at getting ckeditor4 latest release to work, or moving to ckeditor5.

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.