Headline
GHSA-mw2c-vx6j-mg76: CKEditor4 Cross-site Scripting vulnerability in samples with enabled the preview feature
Affected packages
The vulnerability has been discovered in the samples that use the preview feature:
samples/old/**/*.html
plugins/[plugin name]/samples/**/*.html
All integrators that use these samples in the production code can be affected.
Impact
A potential vulnerability has been discovered in one of CKEditor’s 4 samples that are shipped with production code. The vulnerability allowed to execute JavaScript code by abusing the misconfigured preview feature. It affects all users using the CKEditor 4 at version < 4.24.0-lts with affected samples used in a production environment.
Patches
The problem has been recognized and patched. The fix will be available in version 4.24.0-lts.
For more information
Email us at [email protected] if you have any questions or comments about this advisory.
Acknowledgements
The CKEditor 4 team would like to thank Marcin Wyczechowski & Michał Majchrowicz AFINE Team for recognizing and reporting this vulnerability.
Affected packages
The vulnerability has been discovered in the samples that use the preview feature:
- samples/old/*/.html
- plugins/[plugin name]/samples/*/.html
All integrators that use these samples in the production code can be affected.
Impact
A potential vulnerability has been discovered in one of CKEditor’s 4 samples that are shipped with production code. The vulnerability allowed to execute JavaScript code by abusing the misconfigured preview feature. It affects all users using the CKEditor 4 at version < 4.24.0-lts with affected samples used in a production environment.
Patches
The problem has been recognized and patched. The fix will be available in version 4.24.0-lts.
For more information
Email us at [email protected] if you have any questions or comments about this advisory.
Acknowledgements
The CKEditor 4 team would like to thank Marcin Wyczechowski & Michał Majchrowicz AFINE Team for recognizing and reporting this vulnerability.
References
- GHSA-mw2c-vx6j-mg76
- ckeditor/ckeditor4@8ed1a3c
- https://ckeditor.com/cke4/addon/preview