GHSA-mw2c-vx6j-mg76
Suggest an improvement- Source
- https://github.com/advisories/GHSA-mw2c-vx6j-mg76
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-mw2c-vx6j-mg76/GHSA-mw2c-vx6j-mg76.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-mw2c-vx6j-mg76
- Aliases
- Related
- Published
- 2024-02-07T17:31:34Z
- Modified
- 2024-03-01T15:00:32Z
- Severity
-
- 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- CKEditor4 Cross-site Scripting vulnerability in samples with enabled the preview feature
- Details
-
Affected packages
The vulnerability has been discovered in the samples that use the preview feature:
samples/old/**/*.htmlplugins/[plugin name]/samples/**/*.html
All integrators that use these samples in the production code can be affected.
Impact
A potential vulnerability has been discovered in one of CKEditor's 4 samples that are shipped with production code. The vulnerability allowed to execute JavaScript code by abusing the misconfigured preview feature. It affects all users using the CKEditor 4 at version < 4.24.0-lts with affected samples used in a production environment.
Patches
The problem has been recognized and patched. The fix will be available in version 4.24.0-lts.
For more information
Email us at security@cksource.com if you have any questions or comments about this advisory.
Acknowledgements
The CKEditor 4 team would like to thank Marcin Wyczechowski & Michał Majchrowicz AFINE Team for recognizing and reporting this vulnerability.
- Database specific
{ "nvd_published_at": "2024-02-07T17:15:11Z", "cwe_ids": [ "CWE-79" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2024-02-07T17:31:34Z" }- References
Affected packages
npm / ckeditor4
Package
- Name
- ckeditor4
- View open source insights on deps.dev
- Purl
- pkg:npm/ckeditor4