Cross-Site Scripting vulnerability in CKSource CKEditor

Posted date 16/11/2023
3 - Medium
Affected Resources
  • CKEditor, 4.15.1 version and earlier.

INCIBE has coordinated the publication of one vulnerabilitiy that affects CKEditor, an open source text editor that provides word processing functions on web pages, which has been discovered by Rafael Pedrero.

This vulnerabilitiy has been assigned the following code, CVSS v3.1 base score, CVSS vector string, and CWE vulnerability type:

  • CVE-2023-4771: CVSS v3.1: 6.1 | CVSS: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | CWE-79.

The issue was found in one of the archived samples that should never be used by integrators in production code. There is no information about potential security vulnerabilities in CKEditor 4 itself.

  • CVE-2023-4771: a Cross-Site scripting vulnerability has been found in CKSource CKEditor affecting versions 4.15.1 and earlier. An attacker could send malicious javascript code through the /ckeditor/samples/old/ajax.html file and retrieve an authorized user's information.
References list