The vulnerability has been discovered in the samples that use the preview feature:
samples/old/**/*.html
plugins/[plugin name]/samples/**/*.html
All integrators that use these samples in the production code can be affected.
A potential vulnerability has been discovered in one of CKEditor's 4 samples that are shipped with production code. The vulnerability allowed to execute JavaScript code by abusing the misconfigured preview feature. It affects all users using the CKEditor 4 at version < 4.24.0-lts with affected samples used in a production environment.
The problem has been recognized and patched. The fix will be available in version 4.24.0-lts.
Email us at security@cksource.com if you have any questions or comments about this advisory.
The CKEditor 4 team would like to thank Marcin Wyczechowski & Michał Majchrowicz AFINE Team for recognizing and reporting this vulnerability.
{ "nvd_published_at": "2024-02-07T17:15:11Z", "cwe_ids": [ "CWE-79" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2024-02-07T17:31:34Z" }