CVE-2024-45613 – CKEditor 5 has Cross-site Scripting vulnerability in the clipboard package
https://notcve.org/view.php?id=CVE-2024-45613
CKEditor 5 is a JavaScript rich-text editor. Starting in version 40.0.0 and prior to version 43.1.1, a Cross-Site Scripting (XSS) vulnerability is present in the CKEditor 5 clipboard package. This vulnerability could be triggered by a specific user action, leading to unauthorized JavaScript code execution, if the attacker managed to insert a malicious content into the editor, which might happen with a very specific editor configuration. This vulnerability only affects installations where the Block Toolbar plugin is enabled and either the General HTML Support (with a configuration that permits unsafe markup) or the HTML Embed plugin is also enabled. A fix for the problem is available in version 43.1.1. • https://github.com/ckeditor/ckeditor5/releases/tag/v43.1.1 https://github.com/ckeditor/ckeditor5/security/advisories/GHSA-rgg8-g5x8-wr9v • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2024-43411 – CKEditor4 has a low risk cross-site scripting (XSS) vulnerability from domain takeover
https://notcve.org/view.php?id=CVE-2024-43411
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A theoretical vulnerability has been identified in CKEditor 4.22 (and above). In a highly unlikely scenario where an attacker gains control over the https://cke4.ckeditor.com domain, they could potentially execute an attack on CKEditor 4 instances. The issue impacts only editor instances with enabled version notifications. Please note that this feature is disabled by default in all CKEditor 4 LTS versions. • https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-6v96-m24v-f58j https://github.com/ckeditor/ckeditor4/commit/b5069c9cb769ea22eae1cbd7200f22b1cf2e3a7f • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2024-43407 – Code Snippet GeSHi plugin has reflected cross-site scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2024-43407
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A potential vulnerability has been discovered in CKEditor 4 Code Snippet GeSHi plugin. The vulnerability allowed a reflected XSS attack by exploiting a flaw in the GeSHi syntax highlighter library hosted by the victim. The GeSHi library was included as a vendor dependency in CKEditor 4 source files. In a specific scenario, an attacker could craft a malicious script that could be executed by sending a request to the GeSHi library hosted on a PHP web server. • https://github.com/ckeditor/ckeditor4/commit/71072c9f7f263329841bd38e7e5309074c82ef94 https://github.com/ckeditor/ckeditor4/commit/951e7d75fcbcaa2590b0719fb0bb0dd0539ca6fa https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7r32-vfj5-c2jv • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2024-24816 – Cross-site scripting (XSS) vulnerability in samples with enabled the preview feature
https://notcve.org/view.php?id=CVE-2024-24816
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability vulnerability has been discovered in versions prior to 4.24.0-lts in samples that use the `preview` feature. All integrators that use these samples in the production code can be affected. The vulnerability allows an attacker to execute JavaScript code by abusing the misconfigured preview feature. It affects all users using the CKEditor 4 at version < 4.24.0-lts with affected samples used in a production environment. • https://github.com/afine-com/CVE-2024-24816 https://ckeditor.com/cke4/addon/preview https://github.com/ckeditor/ckeditor4/commit/8ed1a3c93d0ae5f49f4ecff5738ab8a2972194cb https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-mw2c-vx6j-mg76 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2024-24815 – CKEditor4 Cross-site scripting (XSS) vulnerability caused by incorrect CDATA detection
https://notcve.org/view.php?id=CVE-2024-24815
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability has been discovered in the core HTML parsing module in versions of CKEditor4 prior to 4.24.0-lts. It may affect all editor instances that enabled full-page editing mode or enabled CDATA elements in Advanced Content Filtering configuration (defaults to `script` and `style` elements). The vulnerability allows attackers to inject malformed HTML content bypassing Advanced Content Filtering mechanism, which could result in executing JavaScript code. An attacker could abuse faulty CDATA content detection and use it to prepare an intentional attack on the editor. • https://ckeditor.com/docs/ckeditor4/latest/api/CKEDITOR_dtd.html#property-S-cdata https://ckeditor.com/docs/ckeditor4/latest/features/fullpage.html https://ckeditor.com/docs/ckeditor4/latest/guide/dev_advanced_content_filter.html https://github.com/ckeditor/ckeditor4/commit/8ed1a3c93d0ae5f49f4ecff5738ab8a2972194cb https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-fq6h-4g8v-qqvm https://www.drupal.org/sa-contrib-2024-009 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •