CVSS: 3.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43411 – CKEditor4 has a low risk cross-site scripting (XSS) vulnerability from domain takeover
https://notcve.org/view.php?id=CVE-2024-43411
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A theoretical vulnerability has been identified in CKEditor 4.22 (and above). In a highly unlikely scenario where an attacker gains control over the https://cke4.ckeditor.com domain, they could potentially execute an attack on CKEditor 4 instances. The issue impacts only editor instances with enabled version notifications. Please note that this feature is disabled by default in all CKEditor 4 LTS versions. • https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-6v96-m24v-f58j https://github.com/ckeditor/ckeditor4/commit/b5069c9cb769ea22eae1cbd7200f22b1cf2e3a7f • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43407 – Code Snippet GeSHi plugin has reflected cross-site scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2024-43407
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A potential vulnerability has been discovered in CKEditor 4 Code Snippet GeSHi plugin. The vulnerability allowed a reflected XSS attack by exploiting a flaw in the GeSHi syntax highlighter library hosted by the victim. The GeSHi library was included as a vendor dependency in CKEditor 4 source files. In a specific scenario, an attacker could craft a malicious script that could be executed by sending a request to the GeSHi library hosted on a PHP web server. • https://github.com/ckeditor/ckeditor4/commit/71072c9f7f263329841bd38e7e5309074c82ef94 https://github.com/ckeditor/ckeditor4/commit/951e7d75fcbcaa2590b0719fb0bb0dd0539ca6fa https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7r32-vfj5-c2jv • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •