Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-mw2c-vx6j-mg76: CKEditor4 Cross-site Scripting vulnerability in samples with enabled the preview feature

Affected packages

The vulnerability has been discovered in the samples that use the preview feature:

  • samples/old/**/*.html
  • plugins/[plugin name]/samples/**/*.html

All integrators that use these samples in the production code can be affected.

Impact

A potential vulnerability has been discovered in one of CKEditor’s 4 samples that are shipped with production code. The vulnerability allowed to execute JavaScript code by abusing the misconfigured preview feature. It affects all users using the CKEditor 4 at version < 4.24.0-lts with affected samples used in a production environment.

Patches

The problem has been recognized and patched. The fix will be available in version 4.24.0-lts.

For more information

Email us at [email protected] if you have any questions or comments about this advisory.

Acknowledgements

The CKEditor 4 team would like to thank Marcin Wyczechowski & Michał Majchrowicz AFINE Team for recognizing and reporting this vulnerability.

ghsa
#xss#vulnerability#java

Affected packages

The vulnerability has been discovered in the samples that use the preview feature:

  • samples/old/*/.html
  • plugins/[plugin name]/samples/*/.html

All integrators that use these samples in the production code can be affected.

Impact

A potential vulnerability has been discovered in one of CKEditor’s 4 samples that are shipped with production code. The vulnerability allowed to execute JavaScript code by abusing the misconfigured preview feature. It affects all users using the CKEditor 4 at version < 4.24.0-lts with affected samples used in a production environment.

Patches

The problem has been recognized and patched. The fix will be available in version 4.24.0-lts.

For more information

Email us at [email protected] if you have any questions or comments about this advisory.

Acknowledgements

The CKEditor 4 team would like to thank Marcin Wyczechowski & Michał Majchrowicz AFINE Team for recognizing and reporting this vulnerability.

References

  • GHSA-mw2c-vx6j-mg76
  • ckeditor/ckeditor4@8ed1a3c
  • https://ckeditor.com/cke4/addon/preview

ghsa: Latest News

GHSA-7p9f-6x8j-gxxp: CRI-O: Maliciously structured checkpoint file can gain arbitrary node access