CKEditor4 low-risk cross-site scripting (XSS) vulnerability linked to potential domain takeover
Published: August 21, 2024
SECURITY IDENTIFIERS
- CVE: CVE-2024-43411 (NVD)
- GHSA: GHSA-6v96-m24v-f58j
- Vendor Advisory: https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-6v96-m24v-f58j
GEM
SEVERITY
CVSS v3.x: 3.1 (Low)
PATCHED VERSIONS
None available.
DESCRIPTION
Affected Packages
The issue impacts only editor instances with enabled version notifications.
Please note that this feature is disabled by default in all CKEditor 4 LTS versions. Therefore, if you use CKEditor 4 LTS, it is highly unlikely that you are affected by this vulnerability. If you are unsure, please contact us.
Impact
A theoretical vulnerability has been identified in CKEditor 4.22 (and above). In a highly unlikely scenario where an attacker gains control over the https://cke4.ckeditor.com domain, they could potentially execute an attack on CKEditor 4 instances. Although the vulnerability is purely hypothetical, we have addressed it in CKEditor 4.25.0-lts to ensure compliance with security best practices.
Patches
The issue has been recognized and patched. The fix is available in version 4.25.0-lts.
For More Information
If you have any questions or comments about this advisory, please email us at security@cksource.com.