CKEditor, a third-party JavaScript library included in DXPR Builder, has fixed multiple vulnerabilities since we last updated this library.  

We do not consider these vulnerabilities critical because the CKEditor library in our module is only accessed by users with "Edit with DXPR Builder" permission, and the editor only loads content on fields that have "DXPR Builder" set as field formatter. In order to exploit these vulnerabilities an attacker would need to have permission to edit content of a field that has "DXPR Builder" set as field formatter. This configuration would not be advisable.

CKEditor security releases included in this update:

Date

Wednesday, March 10, 2021 - 14:00

Product and version

  • DXPR Builder
  • 1.x
  • 1.3.0
  • DXPR Builder
  • 7.x
  • 1.2.3
  • [LEGACY] Glazed Builder
  • 7.x
  • 1.5.1
  • [LEGACY] Glazed Builder
  • 8.x
  • 1.4.2

Impact key

Moderately Critical

Security risk

Vulnerability

Cross Site Scripting

Solution

If you are using DXPR Builder, update to version 1.4.0 or 7.x-1.3.0. If you are using Glazed Builder, update to version 8.x-1.4.4 or 7.x-1.5.2, and make plans to migrate your Glazed Builder to DXPR Builder. Find the migration guide here.

CVE Identifier

-