GHSA-mw2c-vx6j-mg76: CKEditor4 Cross-site Scripting vulnerability in samples with enabled the preview feature

Affected packages

The vulnerability has been discovered in the samples that use the preview feature:

• samples/old/*/.html
• plugins/[plugin name]/samples/*/.html

All integrators that use these samples in the production code can be affected.

Impact

A potential vulnerability has been discovered in one of CKEditor’s 4 samples that are shipped with production code. The vulnerability allowed to execute JavaScript code by abusing the misconfigured preview feature. It affects all users using the CKEditor 4 at version < 4.24.0-lts with affected samples used in a production environment.

Patches

The problem has been recognized and patched. The fix will be available in version 4.24.0-lts.

For more information

Email us at [email protected] if you have any questions or comments about this advisory.

Acknowledgements

The CKEditor 4 team would like to thank Marcin Wyczechowski & Michał Majchrowicz AFINE Team for recognizing and reporting this vulnerability.

References

• GHSA-mw2c-vx6j-mg76
• ckeditor/ckeditor4@8ed1a3c
• https://ckeditor.com/cke4/addon/preview