CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
AI Score
Confidence
High
EPSS
Percentile
74.1%
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability has been discovered affecting Iframe Dialog and Media Embed packages. The vulnerability may trigger a JavaScript code after fulfilling special conditions: using one of the affected packages on a web page with missing proper Content Security Policy configuration; initializing the editor on an element and using an element other than <textarea>
as a base; and destroying the editor instance. This vulnerability might affect a small percentage of integrators that depend on dynamic editor initialization/destroy mechanism.
A fix is available in CKEditor4 version 4.21.0. In some rare cases, a security fix may be considered a breaking change. Starting from version 4.21.0, the Iframe Dialog plugin applies the sandbox
attribute by default, which restricts JavaScript code execution in the iframe element. To change this behavior, configure the config.iframe_attributes
option. Also starting from version 4.21.0, the Media Embed plugin regenerates the entire content of the embed widget by default. To change this behavior, configure the config.embed_keepOriginalContent
option. Those who choose to enable either of the more permissive options or who cannot upgrade to a patched version should properly configure Content Security Policy to avoid any potential security issues that may arise from embedding iframe elements on their web page.
Vendor | Product | Version | CPE |
---|---|---|---|
ckeditor | ckeditor | * | cpe:2.3:a:ckeditor:ckeditor:*:*:*:*:*:*:*:* |
fedoraproject | fedora | 37 | cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:* |
fedoraproject | fedora | 38 | cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:* |
fedoraproject | fedora | 39 | cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:* |
ckeditor.com/cke4/addon/embed
ckeditor.com/cke4/addon/iframe
github.com/ckeditor/ckeditor4/security/advisories/GHSA-vh5c-xwqv-cv9g
lists.fedoraproject.org/archives/list/[email protected]/message/GWKG2VCPJNETVCDTXU4X6FQ2PO6XCNGN/
lists.fedoraproject.org/archives/list/[email protected]/message/L4ODGOW6PYVOXHQSMWJBOCE6DXWAI33W/
lists.fedoraproject.org/archives/list/[email protected]/message/VCYKD3JZWWA3ESOZG4PHJJEXT4EYIUIQ/
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
AI Score
Confidence
High
EPSS
Percentile
74.1%