Issue
- I found a vulnerability in CKEditor, which can allow logged-in users to misuse the CKEditor. When I create web content and add a code in the Source of the content field an alert Popup appears on top of the page.
Reproduction Steps:
1. Start 2024.q1.112. Go to Content & Data --> Web Content and add new web content.
3. Click on "Source" and then click the Preview icon to make the Source popup appear.
4. Type this code snippet: <img src="x" onerror="alert('1')"/>
Expected Result: Nothing happens.
Actual Result: An Alert popup appears on top of the page.
Environment
- Liferay DXP 7.4 Quarterly Release 2024.q1.11
Resolution
- The issue has been fixed by LPD-33910. Please request a hotfix. The fix will be included in a future Release.