GoogleOSV:GHSA-Q9W4-W667-QQJ4ckeditor-wordcount-plugin vulnerable to Cross-site Scripting in Source Mode of Editor
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
0.001 Low
EPSS
Percentile
25.6%
Problem
It has been discovered that the ckeditor-wordcount-plugin plugin for CKEditor4 is susceptible to cross-site scripting when switching to the source code mode.
Solution
Update to version 1.17.12 of the ckeditor-wordcount-plugin plugin.
Credits
- @sypets for reporting this finding to the TYPO3 Security Team
- @ohader for fixing the issue on behalf of the TYPO3 Security Team
| CPE | Name | Operator | Version |
|---|---|---|---|
| ckeditor-wordcount-plugin | lt | 1.17.12 |
References
github.com/TYPO3/typo3/security/advisories/GHSA-m8fw-p3cr-6jqc
github.com/w8tcha/CKEditor-WordCount-Plugin
github.com/w8tcha/CKEditor-WordCount-Plugin/commit/0f03b3e5b7c1409998a13aba3a95396e6fa349d8
github.com/w8tcha/CKEditor-WordCount-Plugin/commit/a4b154bdf35b3465320136fcb078f196b437c2f1
github.com/w8tcha/CKEditor-WordCount-Plugin/security/advisories/GHSA-q9w4-w667-qqj4
nvd.nist.gov/vuln/detail/CVE-2023-37905
typo3.org/security/advisory/typo3-core-sa-2023-004
Related
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
0.001 Low
EPSS
Percentile
25.6%