NotCVE - vendor:"Ckeditor" product:"Ckeditor"

25 results (0.006 seconds)

CVSS: 6.4EPSS: 10%CPEs: 1EXPL: 1

CVE-2024-24816 – Cross-site scripting (XSS) vulnerability in samples with enabled the preview feature

https://notcve.org/view.php?id=CVE-2024-24816

07 Feb 2024 — CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability vulnerability has been discovered in versions prior to 4.24.0-lts in samples that use the `preview` feature. All integrators that use these samples in the production code can be affected. The vulnerability allows an attacker to execute JavaScript code by abusing the misconfigured preview feature. It affects all users using the CKEditor 4 at version < 4.24.0-lts with affected samples used in a productio... • https://github.com/afine-com/CVE-2024-24816 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0

CVE-2024-24815 – CKEditor4 Cross-site scripting (XSS) vulnerability caused by incorrect CDATA detection

https://notcve.org/view.php?id=CVE-2024-24815

07 Feb 2024 — CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability has been discovered in the core HTML parsing module in versions of CKEditor4 prior to 4.24.0-lts. It may affect all editor instances that enabled full-page editing mode or enabled CDATA elements in Advanced Content Filtering configuration (defaults to `script` and `style` elements). The vulnerability allows attackers to inject malformed HTML content bypassing Advanced Content Filtering mechanism, which... • https://ckeditor.com/docs/ckeditor4/latest/api/CKEDITOR_dtd.html#property-S-cdata • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0

CVE-2023-37905 – Cross-site Scripting (XSS) in Source Mode of Editor in ckeditor-wordcount-plugin

https://notcve.org/view.php?id=CVE-2023-37905

21 Jul 2023 — ckeditor-wordcount-plugin is an open source WordCount Plugin for CKEditor. It has been discovered that the `ckeditor-wordcount-plugin` plugin for CKEditor4 is susceptible to cross-site scripting when switching to the source code mode. This issue has been addressed in version 1.17.12 of the `ckeditor-wordcount-plugin` plugin and users are advised to upgrade. There are no known workarounds for this vulnerability. ckeditor-wordcount-plugin es un complemento WordCount de código abierto para CKEditor. Se ha desc... • https://github.com/TYPO3/typo3/security/advisories/GHSA-m8fw-p3cr-6jqc • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 10.0EPSS: 8%CPEs: 1EXPL: 2

CVE-2023-31541

https://notcve.org/view.php?id=CVE-2023-31541

13 Jun 2023 — A unrestricted file upload vulnerability was discovered in the ‘Browse and upload images’ feature of the CKEditor v1.2.3 plugin for Redmine, which allows arbitrary files to be uploaded to the server. • https://github.com/DreamD2v/CVE-2023-31541 • CWE-434: Unrestricted Upload of File with Dangerous Type •

CVSS: 6.4EPSS: 0%CPEs: 4EXPL: 0

CVE-2023-28439 – ckeditor4 plugins vulnerable to cross-site scripting caused by the editor instance destroying process

https://notcve.org/view.php?id=CVE-2023-28439

22 Mar 2023 — CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability has been discovered affecting Iframe Dialog and Media Embed packages. The vulnerability may trigger a JavaScript code after fulfilling special conditions: using one of the affected packages on a web page with missing proper Content Security Policy configuration; initializing the editor on an element and using an element other than `` as a base; and destroying the editor instance. This vulnera... • https://ckeditor.com/cke4/addon/embed • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') • </div></div><div class="panel panel-default" style="margin: 0px 10px 30px;"><img src="/assets/img/cve_300x82_sin_bg.png" alt="" class="corner-imageCVE"><span class='corner-first_right_word' style='color: #f39c09; margin-bottom: 5px;'>CVSS: 6.4</span><span class='corner-second_right_word' style='color: #006621; margin-bottom: 5px;'>EPSS: 0%</span><span class='corner-third_right_word' style='color: #2b2b2b; margin-bottom: 5px;'>CPEs: 1</span><span class='corner-fourth_right_word' style='color: #972b20; margin-bottom: 5px;'>EXPL: 1</span><div class="panel-body" style="background-color: #f8f8f8; padding: 17px 62px 10px 10px; border-radius: 10px; margin-right: 20px; width: 98%;box-shadow: 0px 0px 5px rgba(202, 160, 78, 0.6); font-weight: normal;"><h2 class="result-link"><a style="color: blue; padding-right: 20px;" href="view.php?id=CVE-2022-48110" target="_blank">CVE-2022-48110 – CKEditor 5 35.4.0 - Cross-Site Scripting (XSS)</a></h2><p class="green-link">https://notcve.org/view.php?id=CVE-2022-48110</p> <span class="down-arrow"></span> <p style="margin-bottom: 0px; margin-top: 0px; margin-right: 20px; font-family: Arial, sans-serif; font-weight: 400; color: rgb(51, 51, 51); line-height: 1.58;"><span style="color: rgb(77, 81, 86);">13 Feb 2023 — </span>CKSource CKEditor 5 35.4.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Full Featured CKEditor5 widget. NOTE: the vendor's position is that this is not a vulnerability. The CKEditor 5 documentation discusses that it is the responsibility of an integrator (who is adding CKEditor 5 functionality to a website) to choose the correct security settings for their use case. Also, safe default values are established (e.g., config.htmlEmbed.showPreviews is false). • https://www.exploit-db.com/exploits/51260 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') • </div></div><div class="panel panel-default" style="margin: 0px 10px 30px;"><img src="/assets/img/cve_300x82_sin_bg.png" alt="" class="corner-imageCVE"><span class='corner-first_right_word' style='color: #f39c09; margin-bottom: 5px;'>CVSS: 5.4</span><span class='corner-second_right_word' style='color: #006621; margin-bottom: 5px;'>EPSS: 0%</span><span class='corner-third_right_word' style='color: #2b2b2b; margin-bottom: 5px;'>CPEs: 19</span><span class='corner-fourth_right_word' style='color: gray; margin-bottom: 5px;'>EXPL: 0</span><div class="panel-body" style="background-color: #f8f8f8; padding: 17px 62px 10px 10px; border-radius: 10px; margin-right: 20px; width: 98%;box-shadow: 0px 0px 5px rgba(202, 160, 78, 0.6); font-weight: normal;"><h2 class="result-link"><a style="color: blue; padding-right: 20px;" href="view.php?id=CVE-2022-24728" target="_blank">CVE-2022-24728 – Cross-site Scripting in CKEditor4</a></h2><p class="green-link">https://notcve.org/view.php?id=CVE-2022-24728</p> <span class="down-arrow"></span> <p style="margin-bottom: 0px; margin-top: 0px; margin-right: 20px; font-family: Arial, sans-serif; font-weight: 400; color: rgb(51, 51, 51); line-height: 1.58;"><span style="color: rgb(77, 81, 86);">16 Mar 2022 — </span>CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4 prior to version 4.18.0. The vulnerability allows someone to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. This problem has been patched in version 4.18.0. There are currently no known workarounds. • https://ckeditor.com/cke4/release/CKEditor-4.18.0 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') • </div></div><div class="panel panel-default" style="margin: 0px 10px 30px;"><img src="/assets/img/cve_300x82_sin_bg.png" alt="" class="corner-imageCVE"><span class='corner-first_right_word' style='color: #dd4b40; margin-bottom: 5px;'>CVSS: 7.5</span><span class='corner-second_right_word' style='color: #006621; margin-bottom: 5px;'>EPSS: 0%</span><span class='corner-third_right_word' style='color: #2b2b2b; margin-bottom: 5px;'>CPEs: 19</span><span class='corner-fourth_right_word' style='color: gray; margin-bottom: 5px;'>EXPL: 0</span><div class="panel-body" style="background-color: #f8f8f8; padding: 17px 62px 10px 10px; border-radius: 10px; margin-right: 20px; width: 98%;box-shadow: 0px 0px 5px rgba(202, 160, 78, 0.6); font-weight: normal;"><h2 class="result-link"><a style="color: blue; padding-right: 20px;" href="view.php?id=CVE-2022-24729" target="_blank">CVE-2022-24729 – Regular expression Denial of Service in dialog plugin</a></h2><p class="green-link">https://notcve.org/view.php?id=CVE-2022-24729</p> <span class="down-arrow"></span> <p style="margin-bottom: 0px; margin-top: 0px; margin-right: 20px; font-family: Arial, sans-serif; font-weight: 400; color: rgb(51, 51, 51); line-height: 1.58;"><span style="color: rgb(77, 81, 86);">16 Mar 2022 — </span>CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. CKEditor4 prior to version 4.18.0 contains a vulnerability in the `dialog` plugin. The vulnerability allows abuse of a dialog input validator regular expression, which can cause a significant performance drop resulting in a browser tab freeze. A patch is available in version 4.18.0. There are currently no known workarounds. • https://ckeditor.com/cke4/release/CKEditor-4.18.0 • CWE-400: Uncontrolled Resource Consumption CWE-1333: Inefficient Regular Expression Complexity • </div></div><div class="panel panel-default" style="margin: 0px 10px 30px;"><img src="/assets/img/cve_300x82_sin_bg.png" alt="" class="corner-imageCVE"><span class='corner-first_right_word' style='color: #dd4b40; margin-bottom: 5px;'>CVSS: 8.2</span><span class='corner-second_right_word' style='color: #006621; margin-bottom: 5px;'>EPSS: 0%</span><span class='corner-third_right_word' style='color: #2b2b2b; margin-bottom: 5px;'>CPEs: 21</span><span class='corner-fourth_right_word' style='color: gray; margin-bottom: 5px;'>EXPL: 0</span><div class="panel-body" style="background-color: #f8f8f8; padding: 17px 62px 10px 10px; border-radius: 10px; margin-right: 20px; width: 98%;box-shadow: 0px 0px 5px rgba(202, 160, 78, 0.6); font-weight: normal;"><h2 class="result-link"><a style="color: blue; padding-right: 20px;" href="view.php?id=CVE-2021-41165" target="_blank">CVE-2021-41165 – HTML comments vulnerability allowing to execute JavaScript code</a></h2><p class="green-link">https://notcve.org/view.php?id=CVE-2021-41165</p> <span class="down-arrow"></span> <p style="margin-bottom: 0px; margin-top: 0px; margin-right: 20px; font-family: Arial, sans-serif; font-weight: 400; color: rgb(51, 51, 51); line-height: 1.58;"><span style="color: rgb(77, 81, 86);">17 Nov 2021 — </span>CKEditor4 is an open source WYSIWYG HTML editor. In affected version a vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed comments HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. • https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-417 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') • </div></div><div class="panel panel-default" style="margin: 0px 10px 30px;"><img src="/assets/img/cve_300x82_sin_bg.png" alt="" class="corner-imageCVE"><span class='corner-first_right_word' style='color: #dd4b40; margin-bottom: 5px;'>CVSS: 8.2</span><span class='corner-second_right_word' style='color: #006621; margin-bottom: 5px;'>EPSS: 0%</span><span class='corner-third_right_word' style='color: #2b2b2b; margin-bottom: 5px;'>CPEs: 23</span><span class='corner-fourth_right_word' style='color: gray; margin-bottom: 5px;'>EXPL: 0</span><div class="panel-body" style="background-color: #f8f8f8; padding: 17px 62px 10px 10px; border-radius: 10px; margin-right: 20px; width: 98%;box-shadow: 0px 0px 5px rgba(202, 160, 78, 0.6); font-weight: normal;"><h2 class="result-link"><a style="color: blue; padding-right: 20px;" href="view.php?id=CVE-2021-41164" target="_blank">CVE-2021-41164 – Advanced Content Filter (ACF) vulnerability allowing to execute JavaScript code using malformed HTML</a></h2><p class="green-link">https://notcve.org/view.php?id=CVE-2021-41164</p> <span class="down-arrow"></span> <p style="margin-bottom: 0px; margin-top: 0px; margin-right: 20px; font-family: Arial, sans-serif; font-weight: 400; color: rgb(51, 51, 51); line-height: 1.58;"><span style="color: rgb(77, 81, 86);">17 Nov 2021 — </span>CKEditor4 is an open source WYSIWYG HTML editor. In affected versions a vulnerability has been discovered in the Advanced Content Filter (ACF) module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. • https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-417 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') • </div></div> </div> </div> </section> <div class="pagination"> <a href='search.php?page=1&query=vendor%3A%22Ckeditor%22+product%3A%22Ckeditor%22' class='page-link active'>1</a><a href='search.php?page=2&query=vendor%3A%22Ckeditor%22+product%3A%22Ckeditor%22' class='page-link'>2</a><a href='search.php?page=3&query=vendor%3A%22Ckeditor%22+product%3A%22Ckeditor%22' class='page-link'>3</a><a href='search.php?page=2&query=vendor%3A%22Ckeditor%22+product%3A%22Ckeditor%22' class='page-link'><i class='fas fa-chevron-right'></i></a> </div> </div> </main> <br> <br> <br> <br> <br>  <footer id="footer"> <div class="container"> <div class="row d-flex align-items-center"> <div class="col-lg-4"> <div class="footer-links text-lg-right text-center pt-4 pt-lg-0"> <a href="https://www.linkedin.com/company/notcve/" target="_blank"><i class="bi bi-linkedin"></i> LinkedIn</a> <a href="https://twitter.com/notCVE" target="_blank"><i class="bi bi-twitter"></i> Official</a> <a href="https://twitter.com/notCVEannounce" target="_blank"><i class="bi bi-twitter"></i> Announce</a> </div> </div> <div class="col-lg-4 text-center"> <div class="row align-items-center"> <div class="col-12 text-center"> Partners </div> <div class="col-12 text-center logo-container"> <a href="https://www.cyberintel.es" target="_blank"><img src="/assets/img/logo_cyber_test.svg" alt="Cyber Intelligence S.L."></a> </div> </div> </div> <div class="col-lg-4"> <nav class="footer-links text-lg-right text-center pt-2 pt-lg-0"> <a href="/faq.html">FAQ</a> <a href="/legal.html">Legal</a> <a href="/contact.html">Contact</a> </nav> </div> </div> </div> </footer> <a href="#" class="back-to-top d-flex align-items-center justify-content-center"><i class="bi bi-arrow-up-short"></i></a> <script src="/assets/js/main.js"></script> <script src="https://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js"></script>  <script src="/admin/js/sb-admin-2.min.js"></script>   <script src="/admin/vendor/datatables/jquery.dataTables.min.js"></script> <script src="/admin/vendor/datatables/dataTables.bootstrap4.min.js"></script>  <script src="/admin/js/demo/datatables-demo.js"></script> </body> </html>