CVE-2022-31175

Cross-site scripting caused by the editor instance destroying process in ckeditor5

Severity Score

4.7

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

CKEditor 5 is a JavaScript rich text editor. A cross-site scripting vulnerability has been discovered affecting three optional CKEditor 5's packages in versions prior to 35.0.1. The vulnerability allowed to trigger a JavaScript code after fulfilling special conditions. The affected packages are `@ckeditor/ckeditor5-markdown-gfm`, `@ckeditor/ckeditor5-html-support`, and `@ckeditor/ckeditor5-html-embed`. The specific conditions are 1) Using one of the affected packages. In case of `ckeditor5-html-support` and `ckeditor5-html-embed`, additionally, it was required to use a configuration that allows unsafe markup inside the editor. 2) Destroying the editor instance and 3) Initializing the editor on an element and using an element other than `<textarea>` as a base. The root cause of the issue was a mechanism responsible for updating the source element with the markup coming from the CKEditor 5 data pipeline after destroying the editor. This vulnerability might affect a small percent of integrators that depend on dynamic editor initialization/destroy and use Markdown, General HTML Support or HTML embed features. The problem has been recognized and patched. The fix is available in version 35.0.1. There are no known workarounds for this issue.

CKEditor 5 es un editor de texto enriquecido en JavaScript. Se ha detectado una vulnerabilidad de tipo cross-site scripting que afecta a tres paquetes opcionales de CKEditor 5 en versiones anteriores a 35.0.1. La vulnerabilidad permitía desencadenar un código JavaScript tras cumplir unas condiciones especiales. Los paquetes afectados son "@ckeditor/ckeditor5-markdown-gfm", "@ckeditor/ckeditor5-html-support", and "@ckeditor/ckeditor5-html-embed". Las condiciones específicas son 1) Usar uno de los paquetes afectados. En el caso de "ckeditor5-html-support" and "ckeditor5-html-embed", Adicionalmente, se requería usar una configuración que permitiera un marcado no seguro dentro del editor. 2) Destruir la instancia del editor y 3) Inicializar el editor en un elemento y usar un elemento que no sea "(textarea)" como base. La causa del problema era un mecanismo responsable de la actualización del elemento fuente con el marcado procedente de la canalización de datos de CKEditor 5 después de destruir el editor. Esta vulnerabilidad podría afectar a un pequeño porcentaje de integradores que dependen de la inicialización/destrucción dinámica del editor y que usan las funciones Markdown, General HTML Support o HTML embed. El problema ha sido reconocido y parcheado. La corrección está disponible en versión 35.0.1. No se presentan mitigaciones conocidas para este problema

*Credits: N/A

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

Low

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-05-18 CVE Reserved
2022-08-03 CVE Published
2024-02-24 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CAPEC

References (4)

URL	Tag	Source
https://github.com/ckeditor/ckeditor5/security/advisories/GHSA-42wq-rch8-6f6j	Third Party Advisory

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://ckeditor.com/docs/ckeditor5/latest/features/general-html-support.html	2022-08-09
https://ckeditor.com/docs/ckeditor5/latest/features/html-embed.html	2022-08-09
https://ckeditor.com/docs/ckeditor5/latest/features/markdown.html	2022-08-09

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Ckeditor Search vendor "Ckeditor"		Ckeditor5-html-embed Search vendor "Ckeditor" for product "Ckeditor5-html-embed"				< 35.0.1 Search vendor "Ckeditor" for product "Ckeditor5-html-embed" and version " < 35.0.1"		node.js		Affected
Ckeditor Search vendor "Ckeditor"		Ckeditor5-html-support Search vendor "Ckeditor" for product "Ckeditor5-html-support"				< 35.0.1 Search vendor "Ckeditor" for product "Ckeditor5-html-support" and version " < 35.0.1"		node.js		Affected
Ckeditor Search vendor "Ckeditor"		Ckeditor5-markdown-gfm Search vendor "Ckeditor" for product "Ckeditor5-markdown-gfm"				< 35.0.1 Search vendor "Ckeditor" for product "Ckeditor5-markdown-gfm" and version " < 35.0.1"		node.js		Affected