Cross-Site Scripting vulnerability in CKSource CKEditor

Posted date 16/11/2023

Importance

3 - Medium

Affected Resources

CKEditor, 4.15.1 version and earlier.

Description

INCIBE has coordinated the publication of one vulnerabilitiy that affects CKEditor, an open source text editor that provides word processing functions on web pages, which has been discovered by Rafael Pedrero.

This vulnerabilitiy has been assigned the following code, CVSS v3.1 base score, CVSS vector string, and CWE vulnerability type:

CVE-2023-4771: CVSS v3.1: 6.1 | CVSS: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | CWE-79.

Solution

The issue was found in one of the archived samples that should never be used by integrators in production code. There is no information about potential security vulnerabilities in CKEditor 4 itself.

Detail

CVE-2023-4771: a Cross-Site scripting vulnerability has been found in CKSource CKEditor affecting versions 4.15.1 and earlier. An attacker could send malicious javascript code through the /ckeditor/samples/old/ajax.html file and retrieve an authorized user's information.

References list

Product sheet - CKSource

Etiquetas