View Issue Details

IDProjectCategoryView StatusLast Update
0005920SOGoWeb Mailpublic2024-02-13 09:40
Reportermj_antipode Assigned Tosebastien  
PriorityurgentSeverityfeatureReproducibilityalways
Status assignedResolutionopen 
Product Version5.9.1 
Summary0005920: [EDIT] Update CKEditor version CKEditor version check warning message
Description

The CKEditor team released a new update and the integrated version (4.22.1) is being considered as insecure. This produces a red floating box with this message being pretty alarming.

Additional Information

The alinto team has already created a quick/dirty patch (THANKS) :
https://github.com/Alinto/sogo/commit/5081de1639162be9d259a3c921fb05084f879ce4

TagsNo tags attached.

Activities

mj_antipode

mj_antipode

2024-02-07 17:06

reporter  

qhivert

qhivert

2024-02-07 18:53

administrator   ~0017566

Last edited: 2024-02-07 18:54

Hello!
Quentin from Alinto.

We can't simply get the next ckeditor4 LTS version as it is no more free. We're looking for a solution asap.
Meanwhile, there is this dirty workaround available in next nightly to prevent ckeditor to make the request and show this message.
Or you can do it in your current version by adding this:

config.versionCheck = false;

to your ckeditor config file
in ubuntu/debian -> /usr/lib/GNUstep/SOGo/WebServerResources/js/vendor/ckeditor/config.js
in rhel -> /usr/lib64/GNUstep/SOGo/WebServerResources/js/vendor/ckeditor/config.js

You'll need to empty the data and cache of your browser to not see the message again

sebastien

sebastien

2024-02-07 21:25

administrator   ~0017570

Just to clarify, there is no known weakness for now, this is just an informative message generated by ckeditor.
When sending the mail, the string goes into stringWithoutHTMLInjection and check for common XSS.

=> We're currently looking on how to update ckeditor, because the Open Source version of ckeditor4 is not maintained.
=> The config.versionCheck will finally stay as the webmail should not call external url (unlike my comment in the code :/).

Sebastien

Issue History

Date Modified Username Field Change
2024-02-07 17:06 mj_antipode New Issue
2024-02-07 17:06 mj_antipode File Added: Capture d’écran du 2024-02-07 17-19-44.png
2024-02-07 18:53 qhivert Note Added: 0017566
2024-02-07 18:54 qhivert Note Edited: 0017566
2024-02-07 21:25 sebastien Note Added: 0017570
2024-02-07 21:26 sebastien Severity minor => feature
2024-02-07 21:26 sebastien Summary CKEditor version check warning message => [EDIT] Update CKEditor version CKEditor version check warning message
2024-02-07 21:27 sebastien Assigned To => sebastien
2024-02-07 21:27 sebastien Status new => assigned
2024-02-13 09:40 sebastien Priority normal => urgent