Vulnerable javascript library: Angular and CKEditor

mohammad_amro · November 17, 2021, 5:32pm

Hi,
I’ve issues with the latest installation of Indico 3.0.3. Our security team scans the indico using the QualysGuard scanner and the scan report shows the following vulnerables related to Javascript library Angular and CKEditor.

Vulnerable javascript library: Angular
version: 1.1.5
Details:
In angular versions below 1.6.5 both Firefox and Safari are vulnerable to XSS in $sanitize if an inert document created via document.implementation.createHTMLDocument() is used. Angular version
1.6.5 checks for these vulnerabilities and then use a DOMParser or XHR strategy if needed. Please refer to vendor documentation (docs(changelog): fix wrong date in changelog for 1.8.3 · angular/angular.js@47bf11e · GitHub
8f31f1ff43b673a24f84422d5c13d6312b2c4d94) for latest security updates.

Vulnerable javascript library: CKEditor
version: 4.7.3
script uri: http://indico-1.test/dist/js/ckeditor.b50a7c29.bundle.js
Details:
CKEditor versions on or above 4.5.11 and below 4.9.2 are vulnerable to XSS in the Enhanced Image plugin. The vulnerability stemmed from the fact that it was possible to execute XSS inside
CKEditor using the tag and a specially crafted HTML. Please refer to following resources for more details: CKEditor 4.9.2 with a security patch released , https://
Release notes | CKEditor.com.

Please, could you give me some hints?
Thanks

ThiefMaster · November 17, 2021, 5:39pm

Angular will go away in Indico 3.2. Also, $sanitize is not used, so most likely this is not applicable. In any case, updating angular is not an option since AngularJS 1 is ancient, which is one of the reasons we are getting rid of it.

We do not use the “enhanced image plugin” of CKEditor, so this is certainly not affecting Indico.

mohammad_amro · November 18, 2021, 7:23am

Thanks for your reply.
What is the expected release date for Indico 3.2.

ThiefMaster · November 18, 2021, 8:17am

we just started working on it a few weeks ago, so most likely Q1 2022

mknoerzer · November 24, 2021, 10:54am

@ThiefMaster: I assume you are talking about Indico 3.1 and not 3.2? The reason I am asking is that we currently are still on Indico 2.3.5 and are now working on migrating to Indico 3, but will still need some time for this. Thus, we are relying on security support of Indico 2.3. Some time ago you said that there are no plans on ending that security support in case of significant issues. Do you have a guess on how long we can plan to have that support?

Thanks a lot!

Michael

ThiefMaster · November 24, 2021, 10:58am

No, Angular will only go away in 3.2 - so Q1’22. We’re putting 3.1 in production at CERN today, so I expect a public 3.1 release either in december or early January.

And yes, if there any important security problems showed up in in 2.3, we’d most likely make a patch release. However, the two things you mentioned there - unless someone can find a way to exploit them in Indico as a regular user (not an event organizer) would most likely not qualify for this…