Magnolia 6.2.42 known issues
Security vulnerability in CKEditor 4.22.1
A vulnerability in the core HTML parsing module of CKEditor 4.22.1 was identified. This issue specifically impacts editor instances with full-page editing mode enabled or CDATA elements in the Advanced Content Filtering configuration. Magnolia doesn’t ship either of those two options by default.
For more information, see GitHub Advisory.
As a result of the CVE and issue disclosure, Magnolia may show a security warning prompt when opening any CKEditor instances in Magnolia.
We confirm that this only affects instances using a custom configJsFile containing config.fullPage=true or source-mode enabled and specific config.allowedContent allowing CDATA.
-
CVE entry: CVE-2024-24815
This issue affects all versions up to and including Magnolia 6.2.42. However, Magnolia ranks this issue as low severity because neither of the vulnerable features are enabled by default. In addition, Magnolia provides safeguards to prevent such issues from being exploited.
Given that the CKEditor prompt may be shown to editors when Magnolia is not affected,
Magnolia provides a release, 6.2.42-sp1, to turn off the security warning in CKEditor and a workaround for individual fields.
Magnolia 6.2.42-sp1
You can use CLI to download the patched release or add the bundle to your Maven projects.
mgnl jumpstart -m 6.2.42-sp1Alternatively, add the bundle to your Maven projects. Below are the download links.
<dependencyManagement>
<dependencies>
<dependency>
<groupId>info.magnolia.bundle</groupId>
<artifactId>magnolia-bundle-parent</artifactId>
<version>6.2.42-sp1</version>
<type>pom</type>
<scope>import</scope>
</dependency>
...<dependency>
<groupId>info.magnolia.bundle</groupId>
<artifactId>magnolia-community-webapp</artifactId>
<type>war</type>
</dependency>
<dependency>
<groupId>info.magnolia.bundle</groupId>
<artifactId>magnolia-community-webapp</artifactId>
<type>pom</type>
</dependency>
...<dependencyManagement>
<dependencies>
<!-- Magnolia related dependencies -->
<dependency>
<groupId>info.magnolia.dx</groupId>
<artifactId>magnolia-dx-core-parent</artifactId>
<version>6.2.42-sp1</version>
<type>pom</type>
<!-- Import the 'dependencyManagement' from the eebundle -> the whole project inherits all modules and their version from the eebundle -->
<scope>import</scope>
</dependency>
...<dependencies>
<!-- Magnolia related dependencies -->
<dependency>
<!-- Using the imported 'dependencyManagement' from the parent pom -->
<groupId>info.magnolia.dx</groupId>
<artifactId>magnolia-dx-core-webapp</artifactId>
<type>pom</type>
</dependency>
<dependency>
<!-- Used for the Maven war:overlay -> defines the WAR's structure, the configs, web.xml etc. -->
<groupId>info.magnolia.dx</groupId>
<artifactId>magnolia-dx-core-webapp</artifactId>
<type>war</type>
</dependency>
...Workaround
In a custom configJsFile, add the following line.
config.versionCheck=false;Detailed steps for adding a configuration file to a rich text field to turn off version checks are described below.
-
Add a
configJsFileproperty using the config-magnolia.js file to your field definition.richText: $type: richTextField label: CKEditor4 configJsFile: /.resources/<my-light-module>/config/webresources/config-magnolia.js -
Deploy the config file via the
webresourcesfolder of your light module.📁 my-light-module
📁 config
📁 webresources
⬩ config-magnolia.js
-
Extend the
config-magnolia.jsfile with theversionChecksetting inside theCKEDITOR.editorConfig = function( config )section.CKEDITOR.editorConfig = function( config ) { ... config.versionCheck=false; }