RubySec

Providing security resources for the Ruby community

CVE-2024-43411 (ckeditor): CKEditor4 low-risk cross-site scripting (XSS) vulnerability linked to potential domain takeover

ADVISORIES

GEM

ckeditor

SEVERITY

CVSS v3.x: 3.1 (Low)

PATCHED VERSIONS

None.

DESCRIPTION

Affected Packages

The issue impacts only editor instances with enabled version notifications.

Please note that this feature is disabled by default in all CKEditor 4 LTS versions. Therefore, if you use CKEditor 4 LTS, it is highly unlikely that you are affected by this vulnerability. If you are unsure, please contact us.

Impact

A theoretical vulnerability has been identified in CKEditor 4.22 (and above). In a highly unlikely scenario where an attacker gains control over the https://cke4.ckeditor.com domain, they could potentially execute an attack on CKEditor 4 instances. Although the vulnerability is purely hypothetical, we have addressed it in CKEditor 4.25.0-lts to ensure compliance with security best practices.

Patches

The issue has been recognized and patched. The fix is available in version 4.25.0-lts.

For More Information

If you have any questions or comments about this advisory, please email us at security@cksource.com.

RELATED