Affected plugins
Impact
A cross-site scripting vulnerability has been discovered affecting Iframe Dialog and Media Embed packages. The vulnerability allowed to trigger a JavaScript code after fulfilling special conditions:
a) Using one of the affected packages on a web page with missing proper Content Security Policy configuration,
b) Initializing the editor on an element and using an element other than <textarea> as a base,
c) Destroying the editor instance.
This vulnerability might affect a small percentage of integrators that depend on dynamic editor initialization/destroy mechanism.
Potential breaking changes
In some rare cases, a security release may introduce a breaking change to your application. We have provided configuration options that will help you mitigate any potential issues with the upgrade:
- Starting from version 4.21, the Iframe Dialog plugin applies the
sandbox attribute by default, which restricts JavaScript code execution in the iframe element. To change this behavior, configure the config.iframe_attributes option.
- Starting from version 4.21, the Media Embed plugin regenerates the entire content of the embed widget by default. To change this behavior, configure the
config.embed_keepOriginalContent option.
If you choose to enable either of the above options, make sure to properly configure Content Security Policy to avoid any potential security issues that may arise from embedding iframe elements on your web page.
Patches
The problem has been recognized and patched. The fix will be available in version 4.21.0.
For more information
Email us at [email protected] if you have any questions or comments about this advisory.
Affected plugins
Impact
A cross-site scripting vulnerability has been discovered affecting Iframe Dialog and Media Embed packages. The vulnerability allowed to trigger a JavaScript code after fulfilling special conditions:
a) Using one of the affected packages on a web page with missing proper Content Security Policy configuration,
b) Initializing the editor on an element and using an element other than
<textarea>as a base,c) Destroying the editor instance.
This vulnerability might affect a small percentage of integrators that depend on dynamic editor initialization/destroy mechanism.
Potential breaking changes
In some rare cases, a security release may introduce a breaking change to your application. We have provided configuration options that will help you mitigate any potential issues with the upgrade:
sandboxattribute by default, which restricts JavaScript code execution in the iframe element. To change this behavior, configure theconfig.iframe_attributesoption.config.embed_keepOriginalContentoption.If you choose to enable either of the above options, make sure to properly configure Content Security Policy to avoid any potential security issues that may arise from embedding iframe elements on your web page.
Patches
The problem has been recognized and patched. The fix will be available in version 4.21.0.
For more information
Email us at [email protected] if you have any questions or comments about this advisory.