View Issue Details

IDProjectCategoryView StatusLast Update
0005920SOGoWeb Mailpublic2024-02-13 09:40
Reportermj_antipode Assigned Tosebastien  
Status assignedResolutionopen 
Product Version5.9.1 
Summary0005920: [EDIT] Update CKEditor version CKEditor version check warning message

The CKEditor team released a new update and the integrated version (4.22.1) is being considered as insecure. This produces a red floating box with this message being pretty alarming.

Additional Information

The alinto team has already created a quick/dirty patch (THANKS) :

TagsNo tags attached.




2024-02-07 17:06




2024-02-07 18:53

administrator   ~0017566

Last edited: 2024-02-07 18:54

Quentin from Alinto.

We can't simply get the next ckeditor4 LTS version as it is no more free. We're looking for a solution asap.
Meanwhile, there is this dirty workaround available in next nightly to prevent ckeditor to make the request and show this message.
Or you can do it in your current version by adding this:

config.versionCheck = false;

to your ckeditor config file
in ubuntu/debian -> /usr/lib/GNUstep/SOGo/WebServerResources/js/vendor/ckeditor/config.js
in rhel -> /usr/lib64/GNUstep/SOGo/WebServerResources/js/vendor/ckeditor/config.js

You'll need to empty the data and cache of your browser to not see the message again



2024-02-07 21:25

administrator   ~0017570

Just to clarify, there is no known weakness for now, this is just an informative message generated by ckeditor.
When sending the mail, the string goes into stringWithoutHTMLInjection and check for common XSS.

=> We're currently looking on how to update ckeditor, because the Open Source version of ckeditor4 is not maintained.
=> The config.versionCheck will finally stay as the webmail should not call external url (unlike my comment in the code :/).


Issue History

Date Modified Username Field Change
2024-02-07 17:06 mj_antipode New Issue
2024-02-07 17:06 mj_antipode File Added: Capture d’écran du 2024-02-07 17-19-44.png
2024-02-07 18:53 qhivert Note Added: 0017566
2024-02-07 18:54 qhivert Note Edited: 0017566
2024-02-07 21:25 sebastien Note Added: 0017570
2024-02-07 21:26 sebastien Severity minor => feature
2024-02-07 21:26 sebastien Summary CKEditor version check warning message => [EDIT] Update CKEditor version CKEditor version check warning message
2024-02-07 21:27 sebastien Assigned To => sebastien
2024-02-07 21:27 sebastien Status new => assigned
2024-02-13 09:40 sebastien Priority normal => urgent