CVE-2023-28439

CWE-79Cross-site Scripting (XSS)10 documents6 sources
Severity
6.1MEDIUM
EPSS
0.4%
top 41.81%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Ckeditor Ckeditor4Ckeditor CkeditorFedoraproject Fedora
Timeline
PublishedMar 22
Latest updateFeb 6

Description

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability has been discovered affecting Iframe Dialog and Media Embed packages. The vulnerability may trigger a JavaScript code after fulfilling special conditions: using one of the affected packages on a web page with missing proper Content Security Policy configuration; initializing the editor on an element and using an element other than `` as a base; and destroying the editor instance. This vulne

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 1.6 | Impact: 2.7

Affected Packages2 packages

CVEListV5ckeditor/ckeditor4< 4.21.0
NVDckeditor/ckeditor4.04.21.0

Also affects: Fedora 37, 38, 39

🔴Vulnerability Details

3
OSV
ckeditor vulnerabilities2025-02-06
OSV
CVE-2023-28439: CKEditor4 is an open source what-you-see-is-what-you-get HTML editor2023-03-22
CVEList
ckeditor4 plugins vulnerable to cross-site scripting caused by the editor instance destroying process2023-03-22

📋Vendor Advisories

6
Ubuntu
CKEditor vulnerabilities2025-02-06
Oracle
Oracle Oracle Siebel CRM Risk Matrix: User Interface (CKEditor) — CVE-2023-284392024-10-15
Oracle
Oracle Oracle Analytics Risk Matrix: Visual Analyzer Integration (CKEditor) — CVE-2023-284392024-01-15
Oracle
Oracle Oracle Financial Services Applications Risk Matrix: UI (CKEditor) — CVE-2023-284392023-10-15
Oracle
Oracle Oracle Commerce Risk Matrix: WebUI (CKEditor) — CVE-2023-284392023-07-15