Skip to content

CKEditor4 low-risk cross-site scripting (XSS) vulnerability linked to potential domain takeover

Low severity GitHub Reviewed Published Aug 21, 2024 in ckeditor/ckeditor4 • Updated Aug 21, 2024

Package

npm ckeditor4 (npm)

Affected versions

>= 4.22.0, < 4.25.0

Patched versions

4.25.0

Description

Affected Packages

The issue impacts only editor instances with enabled version notifications.

Please note that this feature is disabled by default in all CKEditor 4 LTS versions. Therefore, if you use CKEditor 4 LTS, it is highly unlikely that you are affected by this vulnerability. If you are unsure, please contact us.

Impact

A theoretical vulnerability has been identified in CKEditor 4.22 (and above). In a highly unlikely scenario where an attacker gains control over the https://cke4.ckeditor.com domain, they could potentially execute an attack on CKEditor 4 instances. Although the vulnerability is purely hypothetical, we have addressed it in CKEditor 4.25.0-lts to ensure compliance with security best practices.

Patches

The issue has been recognized and patched. The fix is available in version 4.25.0-lts.

For More Information

If you have any questions or comments about this advisory, please email us at [email protected].

References

@jacekbogdanski jacekbogdanski published to ckeditor/ckeditor4 Aug 21, 2024
Published by the National Vulnerability Database Aug 21, 2024
Published to the GitHub Advisory Database Aug 21, 2024
Reviewed Aug 21, 2024
Last updated Aug 21, 2024

Severity

Low

EPSS score

0.043%
(10th percentile)

Weaknesses

CVE ID

CVE-2024-43411

GHSA ID

GHSA-6v96-m24v-f58j

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.