CKEditor, a third-party JavaScript library included in DXPR Builder, has fixed multiple vulnerabilities since we last updated this library.
We do not consider these vulnerabilities critical because the CKEditor library in our module is only accessed by users with "Edit with DXPR Builder" permission, and the editor only loads content on fields that have "DXPR Builder" set as field formatter. In order to exploit these vulnerabilities an attacker would need to have permission to edit content of a field that has "DXPR Builder" set as field formatter. This configuration would not be advisable.
CKEditor security releases included in this update:
Date
Wednesday, March 10, 2021 - 14:00
Product updates
- DXPR Builder
- 1.x
- 1.3.0
- DXPR Builder
- 7.x
- 1.2.3
- [LEGACY] Glazed Builder
- 7.x
- 1.5.1
- [LEGACY] Glazed Builder
- 8.x
- 1.4.2
Impact key
Moderately Critical
Security risk
Vulnerability
Cross Site Scripting
Solution
If you are using DXPR Builder, update to version 1.4.0 or 7.x-1.3.0. If you are using Glazed Builder, update to version 8.x-1.4.4 or 7.x-1.5.2, and make plans to migrate your Glazed Builder to DXPR Builder. Find the migration guide here.
CVE Identifier
-