[PROD](renovate) Update dependency ckeditor/ckeditor to v4.24.0 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
ckeditor/ckeditor (source)	4.22.1 -> 4.24.0

GitHub Vulnerability Alerts

CVE-2024-24815

Affected packages

The vulnerability has been discovered in the core HTML parsing module and may affect all editor instances that:

• Enabled full-page editing mode,
• or enabled CDATA elements in Advanced Content Filtering configuration (defaults to script and style elements).

Impact

A potential vulnerability has been discovered in CKEditor 4 HTML processing core module. The vulnerability allowed to inject malformed HTML content bypassing Advanced Content Filtering mechanism, which could result in executing JavaScript code. An attacker could abuse faulty CDATA content detection and use it to prepare an intentional attack on the editor. It affects all users using the CKEditor 4 at version < 4.24.0-lts.

Patches

The problem has been recognized and patched. The fix will be available in version 4.24.0-lts.

For more information

Email us at [email protected] if you have any questions or comments about this advisory.

Acknowledgements

The CKEditor 4 team would like to thank Michal Frýba from ALEF NULA for recognizing and reporting this vulnerability.

---

Release Notes

ckeditor/ckeditor4-releases (ckeditor/ckeditor)

v4.24.0

Compare Source

⚠️️️ Please note that this release is a part of CKEditor 4 Extended Support Model, only available to customers who decided to acquire the LTS (Long Term Support) version of the editor. All editor versions below 4.24.0-lts can no longer be considered as secure! ⚠️

Security Updates:

• Fixed cross-site scripting (XSS) vulnerability caused by incorrect CDATA detection reported by Michal Frýba, ALEF NULA.

  Issue summary: The vulnerability allowed to inject malformed HTML content bypassing Advanced Content Filtering mechanism, which could result in executing JavaScript code. See GHA for more details.

• Fixed cross-site scripting (XSS) vulnerability in AJAX sample reported by Rafael Pedrero, see INCIBE report.

  Issue summary: The vulnerability allowed to execute JavaScript code by abusing the AJAX sample. See GHA for more details.

• Cross-site scripting (XSS) vulnerability in samples with enabled the preview feature reported by Marcin Wyczechowski & Michał Majchrowicz, AFINE Team.

  Issue summary: The vulnerability allowed to execute JavaScript code by abusing the misconfigured preview feature. See GHA for more details.

You can read more details in the relevant security advisories. Contact us if you have more questions.

An upgrade is highly recommended!

Fixed Issues:

• Fixed: The CDATA parsing mechanism incorrectly detects the end of CDATA content. This fix unifies how style and script elements are parsed with the browser's behavior.

v4.23.0

Compare Source

This release introduces the LTS (”Long Term Support”) version of the editor, available under commercial terms ("Extended Support Model").

If you acquired the Extended Support Model for CKEditor 4 LTS, please read the CKEditor 4 LTS key activation guide.

---

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Warsaw, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[renovate]

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: composer.lock

Command failed: composer update ckeditor/ckeditor:4.24.0 --with-dependencies --ignore-platform-req='ext-*' --ignore-platform-req='lib-*' --no-ansi --no-interaction --no-scripts --no-autoloader --no-plugins
Loading composer repositories with package information
Updating dependencies
Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - ezyang/htmlpurifier is locked to version v4.16.0 and an update of this package was not requested.
    - ezyang/htmlpurifier v4.16.0 requires php ~5.6.0 || ~7.0.0 || ~7.1.0 || ~7.2.0 || ~7.3.0 || ~7.4.0 || ~8.0.0 || ~8.1.0 || ~8.2.0 -> your php version (8.3.3) does not satisfy that requirement.
  Problem 2
    - nette/php-generator is locked to version v3.6.9 and an update of this package was not requested.
    - nette/php-generator v3.6.9 requires php >=7.2 <8.3 -> your php version (8.3.3) does not satisfy that requirement.
  Problem 3
    - ezyang/htmlpurifier v4.16.0 requires php ~5.6.0 || ~7.0.0 || ~7.1.0 || ~7.2.0 || ~7.3.0 || ~7.4.0 || ~8.0.0 || ~8.1.0 || ~8.2.0 -> your php version (8.3.3) does not satisfy that requirement.
    - phpoffice/phpspreadsheet 1.29.0 requires ezyang/htmlpurifier ^4.15 -> satisfiable by ezyang/htmlpurifier[v4.16.0].
    - phpoffice/phpspreadsheet is locked to version 1.29.0 and an update of this package was not requested.