CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-37905 – Cross-site Scripting (XSS) in Source Mode of Editor in ckeditor-wordcount-plugin
https://notcve.org/view.php?id=CVE-2023-37905
ckeditor-wordcount-plugin is an open source WordCount Plugin for CKEditor. It has been discovered that the `ckeditor-wordcount-plugin` plugin for CKEditor4 is susceptible to cross-site scripting when switching to the source code mode. This issue has been addressed in version 1.17.12 of the `ckeditor-wordcount-plugin` plugin and users are advised to upgrade. There are no known workarounds for this vulnerability. ckeditor-wordcount-plugin es un complemento WordCount de código abierto para CKEditor. Se ha descubierto que el complemento `ckeditor-wordcount-plugin` para CKEditor4 es susceptible a Cross-Site Scripting al cambiar al modo de código fuente. • https://github.com/TYPO3/typo3/security/advisories/GHSA-m8fw-p3cr-6jqc https://github.com/w8tcha/CKEditor-WordCount-Plugin/commit/0f03b3e5b7c1409998a13aba3a95396e6fa349d8 https://github.com/w8tcha/CKEditor-WordCount-Plugin/commit/a4b154bdf35b3465320136fcb078f196b437c2f1 https://github.com/w8tcha/CKEditor-WordCount-Plugin/security/advisories/GHSA-q9w4-w667-qqj4 https://typo3.org/security/advisory/typo3-core-sa-2023-004 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 2CVE-2023-31541
https://notcve.org/view.php?id=CVE-2023-31541
A unrestricted file upload vulnerability was discovered in the ‘Browse and upload images’ feature of the CKEditor v1.2.3 plugin for Redmine, which allows arbitrary files to be uploaded to the server. • https://github.com/DreamD2v/CVE-2023-31541 http://redmine.com http://redmineckeditor.com https://github.com/DreamD2v/CVE-2023-31541/blob/main/CVE-2023-31541.md • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0CVE-2023-28439 – ckeditor4 plugins vulnerable to cross-site scripting caused by the editor instance destroying process
https://notcve.org/view.php?id=CVE-2023-28439
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability has been discovered affecting Iframe Dialog and Media Embed packages. The vulnerability may trigger a JavaScript code after fulfilling special conditions: using one of the affected packages on a web page with missing proper Content Security Policy configuration; initializing the editor on an element and using an element other than `<textarea>` as a base; and destroying the editor instance. This vulnerability might affect a small percentage of integrators that depend on dynamic editor initialization/destroy mechanism. A fix is available in CKEditor4 version 4.21.0. In some rare cases, a security fix may be considered a breaking change. • https://ckeditor.com/cke4/addon/embed https://ckeditor.com/cke4/addon/iframe https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-vh5c-xwqv-cv9g https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GWKG2VCPJNETVCDTXU4X6FQ2PO6XCNGN https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L4ODGOW6PYVOXHQSMWJBOCE6DXWAI33W https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VCYKD3JZWWA3ESOZG4PHJJEXT4EYIUIQ • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2022-48110 – CKEditor 5 35.4.0 - Cross-Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2022-48110
CKSource CKEditor 5 35.4.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Full Featured CKEditor5 widget. NOTE: the vendor's position is that this is not a vulnerability. The CKEditor 5 documentation discusses that it is the responsibility of an integrator (who is adding CKEditor 5 functionality to a website) to choose the correct security settings for their use case. Also, safe default values are established (e.g., config.htmlEmbed.showPreviews is false). • https://www.exploit-db.com/exploits/51260 https://ckeditor.com/docs/ckeditor5/latest/features/html-embed.html https://packetstormsecurity.com/files/170927/CKSource-CKEditor5-35.4.0-Cross-Site-Scripting.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.8EPSS: 0%CPEs: 3EXPL: 0CVE-2022-31175 – Cross-site scripting caused by the editor instance destroying process in ckeditor5
https://notcve.org/view.php?id=CVE-2022-31175
CKEditor 5 is a JavaScript rich text editor. A cross-site scripting vulnerability has been discovered affecting three optional CKEditor 5's packages in versions prior to 35.0.1. The vulnerability allowed to trigger a JavaScript code after fulfilling special conditions. The affected packages are `@ckeditor/ckeditor5-markdown-gfm`, `@ckeditor/ckeditor5-html-support`, and `@ckeditor/ckeditor5-html-embed`. The specific conditions are 1) Using one of the affected packages. • https://ckeditor.com/docs/ckeditor5/latest/features/general-html-support.html https://ckeditor.com/docs/ckeditor5/latest/features/html-embed.html https://ckeditor.com/docs/ckeditor5/latest/features/markdown.html https://github.com/ckeditor/ckeditor5/security/advisories/GHSA-42wq-rch8-6f6j • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •