NotCVE - vendor:"Ckeditor"

35 results (0.015 seconds)

CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0

CVE-2025-25299 – Cross-site scripting (XSS) in the real-time collaboration package

https://notcve.org/view.php?id=CVE-2025-25299

20 Feb 2025 — CKEditor 5 is a modern JavaScript rich-text editor with an MVC architecture. During a recent internal audit, a Cross-Site Scripting (XSS) vulnerability was discovered in the CKEditor 5 real-time collaboration package. This vulnerability affects user markers, which represent users' positions within the document. It can lead to unauthorized JavaScript code execution, which might happen with a very specific editor and token endpoint configuration. This vulnerability affects only installations with Real-time co... • https://ckeditor.com/docs/ckeditor5/latest/features/collaboration/real-time-collaboration/real-time-collaboration.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •

CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0

CVE-2024-45613 – CKEditor 5 has Cross-site Scripting vulnerability in the clipboard package

https://notcve.org/view.php?id=CVE-2024-45613

25 Sep 2024 — CKEditor 5 is a JavaScript rich-text editor. Starting in version 40.0.0 and prior to version 43.1.1, a Cross-Site Scripting (XSS) vulnerability is present in the CKEditor 5 clipboard package. This vulnerability could be triggered by a specific user action, leading to unauthorized JavaScript code execution, if the attacker managed to insert a malicious content into the editor, which might happen with a very specific editor configuration. This vulnerability only affects installations where the Block Toolbar p... • https://github.com/ckeditor/ckeditor5/releases/tag/v43.1.1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0

CVE-2024-43411 – CKEditor4 has a low risk cross-site scripting (XSS) vulnerability from domain takeover

https://notcve.org/view.php?id=CVE-2024-43411

21 Aug 2024 — CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A theoretical vulnerability has been identified in CKEditor 4.22 (and above). In a highly unlikely scenario where an attacker gains control over the https://cke4.ckeditor.com domain, they could potentially execute an attack on CKEditor 4 instances. The issue impacts only editor instances with enabled version notifications. Please note that this feature is disabled by default in all CKEditor 4 LTS versions. • https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-6v96-m24v-f58j • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0

CVE-2024-43407 – Code Snippet GeSHi plugin has reflected cross-site scripting (XSS) vulnerability

https://notcve.org/view.php?id=CVE-2024-43407

21 Aug 2024 — CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A potential vulnerability has been discovered in CKEditor 4 Code Snippet GeSHi plugin. The vulnerability allowed a reflected XSS attack by exploiting a flaw in the GeSHi syntax highlighter library hosted by the victim. The GeSHi library was included as a vendor dependency in CKEditor 4 source files. In a specific scenario, an attacker could craft a malicious script that could be executed by sending a request to the GeSHi library hosted on... • https://github.com/ckeditor/ckeditor4/commit/71072c9f7f263329841bd38e7e5309074c82ef94 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.4EPSS: 17%CPEs: 1EXPL: 1

CVE-2024-24816 – Cross-site scripting (XSS) vulnerability in samples with enabled the preview feature

https://notcve.org/view.php?id=CVE-2024-24816

07 Feb 2024 — CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability vulnerability has been discovered in versions prior to 4.24.0-lts in samples that use the `preview` feature. All integrators that use these samples in the production code can be affected. The vulnerability allows an attacker to execute JavaScript code by abusing the misconfigured preview feature. It affects all users using the CKEditor 4 at version < 4.24.0-lts with affected samples used in a productio... • https://github.com/afine-com/CVE-2024-24816 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0

CVE-2024-24815 – CKEditor4 Cross-site scripting (XSS) vulnerability caused by incorrect CDATA detection

https://notcve.org/view.php?id=CVE-2024-24815

07 Feb 2024 — CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability has been discovered in the core HTML parsing module in versions of CKEditor4 prior to 4.24.0-lts. It may affect all editor instances that enabled full-page editing mode or enabled CDATA elements in Advanced Content Filtering configuration (defaults to `script` and `style` elements). The vulnerability allows attackers to inject malformed HTML content bypassing Advanced Content Filtering mechanism, which... • https://ckeditor.com/docs/ckeditor4/latest/api/CKEDITOR_dtd.html#property-S-cdata • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0

CVE-2023-37905 – Cross-site Scripting (XSS) in Source Mode of Editor in ckeditor-wordcount-plugin

https://notcve.org/view.php?id=CVE-2023-37905

21 Jul 2023 — ckeditor-wordcount-plugin is an open source WordCount Plugin for CKEditor. It has been discovered that the `ckeditor-wordcount-plugin` plugin for CKEditor4 is susceptible to cross-site scripting when switching to the source code mode. This issue has been addressed in version 1.17.12 of the `ckeditor-wordcount-plugin` plugin and users are advised to upgrade. There are no known workarounds for this vulnerability. ckeditor-wordcount-plugin es un complemento WordCount de código abierto para CKEditor. Se ha desc... • https://github.com/TYPO3/typo3/security/advisories/GHSA-m8fw-p3cr-6jqc • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 10.0EPSS: 4%CPEs: 1EXPL: 2

CVE-2023-31541

https://notcve.org/view.php?id=CVE-2023-31541

13 Jun 2023 — A unrestricted file upload vulnerability was discovered in the ‘Browse and upload images’ feature of the CKEditor v1.2.3 plugin for Redmine, which allows arbitrary files to be uploaded to the server. • https://github.com/DreamD2v/CVE-2023-31541 • CWE-434: Unrestricted Upload of File with Dangerous Type •

CVSS: 6.4EPSS: 0%CPEs: 4EXPL: 0

CVE-2023-28439 – ckeditor4 plugins vulnerable to cross-site scripting caused by the editor instance destroying process

https://notcve.org/view.php?id=CVE-2023-28439

22 Mar 2023 — CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability has been discovered affecting Iframe Dialog and Media Embed packages. The vulnerability may trigger a JavaScript code after fulfilling special conditions: using one of the affected packages on a web page with missing proper Content Security Policy configuration; initializing the editor on an element and using an element other than `` as a base; and destroying the editor instance. This vulnera... • https://ckeditor.com/cke4/addon/embed • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') • </div></div><div class="panel panel-default" style="margin: 0px 10px 30px;"><img src="/assets/img/cve_300x82_sin_bg.png" alt="" class="corner-imageCVE"><span class='corner-first_right_word' style='color: #f39c09; margin-bottom: 5px;'>CVSS: 6.4</span><span class='corner-second_right_word' style='color: #006621; margin-bottom: 5px;'>EPSS: 0%</span><span class='corner-third_right_word' style='color: #2b2b2b; margin-bottom: 5px;'>CPEs: 1</span><span class='corner-fourth_right_word' style='color: #972b20; margin-bottom: 5px;'>EXPL: 1</span><div class="panel-body" style="background-color: #f8f8f8; padding: 17px 62px 10px 10px; border-radius: 10px; margin-right: 20px; width: 98%;box-shadow: 0px 0px 5px rgba(202, 160, 78, 0.6); font-weight: normal;"><h2 class="result-link"><a style="color: blue; padding-right: 20px;" href="view.php?id=CVE-2022-48110" target="_blank">CVE-2022-48110 – CKEditor 5 35.4.0 - Cross-Site Scripting (XSS)</a></h2><p class="green-link">https://notcve.org/view.php?id=CVE-2022-48110</p> <span class="down-arrow"></span> <p style="margin-bottom: 0px; margin-top: 0px; margin-right: 20px; font-family: Arial, sans-serif; font-weight: 400; color: rgb(51, 51, 51); line-height: 1.58;"><span style="color: rgb(77, 81, 86);">13 Feb 2023 — </span>CKSource CKEditor 5 35.4.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Full Featured CKEditor5 widget. NOTE: the vendor's position is that this is not a vulnerability. The CKEditor 5 documentation discusses that it is the responsibility of an integrator (who is adding CKEditor 5 functionality to a website) to choose the correct security settings for their use case. Also, safe default values are established (e.g., config.htmlEmbed.showPreviews is false). • https://www.exploit-db.com/exploits/51260 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') • </div></div> </div> </div> </section> <div class="pagination"> <a href='search.php?page=1&query=vendor%3A%22Ckeditor%22' class='page-link active'>1</a><a href='search.php?page=2&query=vendor%3A%22Ckeditor%22' class='page-link'>2</a><a href='search.php?page=3&query=vendor%3A%22Ckeditor%22' class='page-link'>3</a><a href='search.php?page=4&query=vendor%3A%22Ckeditor%22' class='page-link'>4</a><a href='search.php?page=2&query=vendor%3A%22Ckeditor%22' class='page-link'><i class='fas fa-chevron-right'></i></a> </div> </div> </main> <br> <br> <br> <br> <br>  <footer id="footer"> <div class="container"> <div class="row d-flex align-items-center"> <div class="col-lg-4"> <div class="footer-links text-lg-right text-center pt-4 pt-lg-0"> <a href="https://www.linkedin.com/company/notcve/" target="_blank"><i class="bi bi-linkedin"></i> LinkedIn</a> <a href="https://twitter.com/notCVE" target="_blank"><i class="bi bi-twitter"></i> Official</a> <a href="https://twitter.com/notCVEannounce" target="_blank"><i class="bi bi-twitter"></i> Announce</a> </div> </div> <div class="col-lg-4 text-center"> <div class="row align-items-center"> <div class="col-12 text-center"> Partners </div> <div class="col-12 text-center logo-container"> <a href="https://www.cyberintel.es" target="_blank"><img src="/assets/img/logo_cyber_test.svg" alt="Cyber Intelligence S.L."></a> </div> </div> </div> <div class="col-lg-4"> <nav class="footer-links text-lg-right text-center pt-2 pt-lg-0"> <a href="/faq.html">FAQ</a> <a href="/legal.html">Legal</a> <a href="/contact.html">Contact</a> </nav> </div> </div> </div> </footer> <a href="#" class="back-to-top d-flex align-items-center justify-content-center"><i class="bi bi-arrow-up-short"></i></a> <script src="/assets/js/main.js"></script> <script src="https://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js"></script>  <script src="/admin/js/sb-admin-2.min.js"></script>   <script src="/admin/vendor/datatables/jquery.dataTables.min.js"></script> <script src="/admin/vendor/datatables/dataTables.bootstrap4.min.js"></script>  <script src="/admin/js/demo/datatables-demo.js"></script> </body> </html>