⚠️️️ Please note that this release is a part of CKEditor 4 Extended Support Model, only available to customers who decided to acquire the LTS (Long Term Support) version of the editor. All editor versions below 4.24.0-lts can no longer be considered as secure! ⚠️

Security Updates:

• Fixed cross-site scripting (XSS) vulnerability caused by incorrect CDATA detection reported by Michal Frýba, ALEF NULA.

  Issue summary: The vulnerability allowed to inject malformed HTML content bypassing Advanced Content Filtering mechanism, which could result in executing JavaScript code. See GHA for more details.

• Fixed cross-site scripting (XSS) vulnerability in AJAX sample reported by Rafael Pedrero, see INCIBE report.

  Issue summary: The vulnerability allowed to execute JavaScript code by abusing the AJAX sample. See GHA for more details.

• Cross-site scripting (XSS) vulnerability in samples with enabled the preview feature reported by Marcin Wyczechowski & Michał Majchrowicz, AFINE Team.

  Issue summary: The vulnerability allowed to execute JavaScript code by abusing the misconfigured preview feature. See GHA for more details.

You can read more details in the relevant security advisories. Contact us if you have more questions.

An upgrade is highly recommended!

Fixed Issues:

• Fixed: The CDATA parsing mechanism incorrectly detects the end of CDATA content. This fix unifies how style and script elements are parsed with the browser's behavior.