Skip to content

Low-risk cross-site scripting (XSS) vulnerability linked to potential domain takeover

Low
jacekbogdanski published GHSA-6v96-m24v-f58j Aug 21, 2024

Package

No package listed

Affected versions

>= 4.22.0, < 4.25.0-lts

Patched versions

4.25.0-lts

Description

Affected Packages

The issue impacts only editor instances with enabled version notifications.

Please note that this feature is disabled by default in all CKEditor 4 LTS versions. Therefore, if you use CKEditor 4 LTS, it is highly unlikely that you are affected by this vulnerability. If you are unsure, please contact us.

Impact

A theoretical vulnerability has been identified in CKEditor 4.22 (and above). In a highly unlikely scenario where an attacker gains control over the https://cke4.ckeditor.com domain, they could potentially execute an attack on CKEditor 4 instances. Although the vulnerability is purely hypothetical, we have addressed it in CKEditor 4.25.0-lts to ensure compliance with security best practices.

Patches

The issue has been recognized and patched. The fix is available in version 4.25.0-lts.

For More Information

If you have any questions or comments about this advisory, please email us at [email protected].

Severity

Low

CVE ID

CVE-2024-43411

Weaknesses

No CWEs