CVE-2018-17960 — Cross-site Scripting in Ckeditor

CWE-79 — Cross-site Scripting9 documents6 sources

Severity

6.1MEDIUMNVD

EPSS

2.0%

top 16.19%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Ckeditor Typo3 CMS Typo3 Cms-core

Timeline

PublishedNov 14

Latest updateNov 21

Description

CKEditor 4.x before 4.11.0 allows user-assisted XSS involving a source-mode paste.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages5 packages

▶NVDckeditor/ckeditor4.0 — 4.11.0

▶npmckeditor/ckeditor< 4.11.0

▶Debianckeditor/ckeditor< 4.11.1+dfsg-1+1

▶Packagisttypo3/cms8.0.0 — 8.7.21+1

▶Packagisttypo3/cms-core8.0.0 — 8.7.21+1

🔴Vulnerability Details

GHSA

Ckeditor XSS Vulnerability↗2018-11-21

▶

OSV

Ckeditor XSS Vulnerability↗2018-11-21

▶

CVEList

CVE-2018-17960: CKEditor 4↗2018-11-14

▶

OSV

CVE-2018-17960: CKEditor 4↗2018-11-14

▶

📋Vendor Advisories

Debian

CVE-2018-17960: ckeditor - CKEditor 4.x before 4.11.0 allows user-assisted XSS involving a source-mode past...↗2018

▶

💬Community

Bugzilla

CVE-2018-17960 ckeditor: XSS involving a source-mode paste↗2018-11-20

▶

Bugzilla

CVE-2018-17960 ckeditor: XSS involving a source-mode paste [fedora-all]↗2018-11-20

▶

Bugzilla

CVE-2018-17960 ckeditor: XSS involving a source-mode paste [epel-all]↗2018-11-20

▶