CVE-2024-45613

CKEditor 5 is a JavaScript rich-text editor. Starting in version 40.0.0 and prior to version 43.1.1, a Cross-Site Scripting (XSS) vulnerability is present in the CKEditor 5 clipboard package. This vulnerability could be triggered by a specific user action, leading to unauthorized JavaScript code execution, if the attacker managed to insert a malicious content into the editor, which might happen with a very specific editor configuration. This vulnerability only affects installations where the Block Toolbar plugin is enabled and either the General HTML Support (with a configuration that permits unsafe markup) or the HTML Embed plugin is also enabled. A fix for the problem is available in version 43.1.1. As a workaround, one may disable the block toolbar plugin.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/ckeditor/ckeditor5/releases/tag/v43.1.1	Release Notes
https://github.com/ckeditor/ckeditor5/security/advisories/GHSA-rgg8-g5x8-wr9v	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:ckeditor:ckeditor5:*:*:*:*:*:*:*:*

History

01 Oct 2024, 16:26

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~7.2~~	v2 : unknown v3 : 6.1
CPE		cpe:2.3:a:ckeditor:ckeditor5::::::::
First Time		Ckeditor ckeditor5 Ckeditor
References	~~() https://github.com/ckeditor/ckeditor5/releases/tag/v43.1.1 -~~	() https://github.com/ckeditor/ckeditor5/releases/tag/v43.1.1 - Release Notes
References	~~() https://github.com/ckeditor/ckeditor5/security/advisories/GHSA-rgg8-g5x8-wr9v -~~	() https://github.com/ckeditor/ckeditor5/security/advisories/GHSA-rgg8-g5x8-wr9v - Third Party Advisory

26 Sep 2024, 13:32

Type	Values Removed	Values Added
Summary		(es) CKEditor 5 es un editor de texto enriquecido de JavaScript. A partir de la versión 40.0.0 y antes de la versión 43.1.1, existe una vulnerabilidad de tipo Cross-Site Scripting (XSS) en el paquete de portapapeles de CKEditor 5. Esta vulnerabilidad podría ser activada por una acción específica del usuario, lo que llevaría a la ejecución no autorizada de código JavaScript, si el atacante lograra insertar un contenido malicioso en el editor, lo que podría suceder con una configuración de editor muy específica. Esta vulnerabilidad solo afecta a las instalaciones donde está habilitado el complemento Block Toolbar y también está habilitado General HTML Support (con una configuración que permite marcado no seguro) o el complemento HTML Embed. Hay una solución para el problema disponible en la versión 43.1.1. Como workaround, se puede deshabilitar el complemento Block Toolbar.

25 Sep 2024, 14:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-09-25 14:15

Updated : 2024-10-01 22:15

NVD link : CVE-2024-45613

Mitre link : CVE-2024-45613

CVE.ORG link : CVE-2024-45613

JSON object : View

Products Affected

ckeditor

ckeditor5

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

6.1 /10