OTRS Security Advisory 2024-04

OSA-2024-04 A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor

A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject executable JavaScript code through a crafted comment because –!> is mishandled.

PRODUCT AFFECTED:

This issue affects

OTRS: from 7.0.X through 7.0.48, from 8.0.X through 8.0.37, from 2023.X through 2023.1.1;

OTRSAdvancedEditor: from 6.0.X through 6.0.30, from 7.0.X through 7.0.32, from 8.0.X through 8.0.15, from 2023.X through 2023.1.1.

((OTRS)) Community Edition: from 6.0.1 through 6.0.34

---------------------------
A cross-site scripting (XSS) vulnerability in the HTML Data Processor in
CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject
executable JavaScript code through a crafted comment because --!> is mishandled.

References:
https://otrs.com/release-notes/otrs-security-advisory-2024-04/
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-33829
https://www.cve.org/CVERecord?id=CVE-2021-33829
https://ckeditor.com/blog/ckeditor-4.16.1-with-accessibility-enhancements/#improvements-for-comments-in-html-parser
https://bugzilla.redhat.com/show_bug.cgi?id=1974728
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/
https://www.drupal.org/sa-core-2021-003
https://lists.debian.org/debian-lts-announce/2021/11/msg00007.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/