CVE-2024-43407

CWE-79Cross-site Scripting (XSS)7 documents6 sources
Severity
6.1MEDIUM
EPSS
1.9%
top 17.00%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Ckeditor Ckeditor4Ckeditor Ckeditor
Timeline
PublishedAug 21
Latest updateOct 15

Description

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A potential vulnerability has been discovered in CKEditor 4 Code Snippet GeSHi plugin. The vulnerability allowed a reflected XSS attack by exploiting a flaw in the GeSHi syntax highlighter library hosted by the victim. The GeSHi library was included as a vendor dependency in CKEditor 4 source files. In a specific scenario, an attacker could craft a malicious script that could be executed by sending a request to the GeSHi libra

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages4 packages

npmckeditor4< 4.25.0
CVEListV5ckeditor/ckeditor4< 4.25.0-lts
NVDckeditor/ckeditor4.04.25.0
Packagistckeditor/ckeditor< 4.25.0

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

4
GHSA
Code Snippet GeSHi plugin in CKEditor 4 has reflected cross-site scripting (XSS) vulnerability2024-08-21
OSV
CVE-2024-43407: CKEditor4 is an open source what-you-see-is-what-you-get HTML editor2024-08-21
CVEList
Code Snippet GeSHi plugin has reflected cross-site scripting (XSS) vulnerability2024-08-21
OSV
Code Snippet GeSHi plugin in CKEditor 4 has reflected cross-site scripting (XSS) vulnerability2024-08-21

📋Vendor Advisories

2
Oracle
Oracle Oracle Financial Services Applications Risk Matrix: Authentication (CKEditor) — CVE-2024-434072024-10-15
Debian
CVE-2024-43407: ckeditor - CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A potentia...2024